Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw: Report

China’s Ministry of Industry and Information Technology (MIIT) said it will temporarily suspend its collaboration with Alibaba Cloud as a cyber threat intelligence partner due to the fact that the company did not inform the government first about the discovery of the Log4Shell vulnerability, according to local media reports.

China’s Ministry of Industry and Information Technology (MIIT) said it will temporarily suspend its collaboration with Alibaba Cloud as a cyber threat intelligence partner due to the fact that the company did not inform the government first about the discovery of the Log4Shell vulnerability, according to local media reports.

The developers of Log4j were informed in late November by Alibaba’s cloud security team that the widely used logging utility had been affected by a critical vulnerability, which would later become known as Log4Shell and LogJam.

Officially tracked as CVE-2021-44228, the flaw can be exploited to gain complete control over vulnerable systems, and it has been exploited by both cybercriminals and state-sponsored threat groups, likely even before an official patch was released on December 6.

According to the South China Morning Post, which is owned by Alibaba, the Chinese government is displeased with the fact that it was not informed first about the Log4j vulnerability. As a result, the MIIT, which has been running a threat intelligence sharing platform since late 2019, said it would suspend work with Alibaba Cloud for six months, after which it will reassess whether the partnership should be resumed.

The publication, which cited local media reports, said the MIIT’s decision could have a negative impact on Alibaba’s business prospects.

A law passed this year in China requires all Chinese citizens who find zero-day vulnerabilities to pass the details to the government. While security flaws can be disclosed to the affected vendor, they cannot be sold or passed on to third-parties outside of China.

However, the South China Morning Post clarified that Chinese companies are obligated to inform the government about vulnerabilities found in their own software, but companies are only “encouraged” to report flaws identified in other vendors’ products.

SecurityWeek has reached out to Alibaba for comment and will update this article if the tech giant responds. 

Advertisement. Scroll to continue reading.

It’s worth noting that among the groups that have been observed exploiting Log4Shell in their attacks, cybersecurity researchers have seen threat actors that are believed to be sponsored by the Chinese government.

The Belgian military this week confirmed a data breach resulting from Log4Shell exploitation, making it the first government organization to officially admit being hit by a Log4Shell attack.

In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to mitigate the Log4j vulnerabilities by December 23.

In the meantime, more Log4j vulnerabilities have come to light. The latest is a high-severity denial-of-service flaw patched over the weekend with the release of version 2.17.0.

Related: Log4Shell Tools and Resources for Defenders – Continuously Updated

Related: ​​China May Delay Vulnerability Disclosures For Use in Attacks

Related: $1.9 Million Paid Out for Exploits at China’s Tianfu Cup Hacking Contest

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.