The world’s largest software maker is warning that China-based nation state threat actors are taking advantage of a one-year-old law to “stockpile” zero-days for use in sustained malware attacks.
According to a new report released Friday by Microsoft, China’s government hacking groups have become “particularly proficient at discovering and developing zero-day exploits” after strict mandates around early vulnerability disclosure went into effect.
Microsoft made a direct connection between China’s vulnerability reporting regulation that went into effect September 2021 and a surge in zero-day attacks documented over the last two years.
“The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority,” Redmond said in the Microsoft Digital Defense Report 2022.
[ READ: Moussouris: U.S. Should Resist Urge to Match China Vuln Reporting ]
The Chinese regulation requires the reporting of vulnerabilities to a government authority for review prior to the vulnerability being shared with the product or service owner, providing a zero-day window for malicious exploitation.
“This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them,” Microsoft declared.
Microsoft documented multiple in-the-wild zero-day attacks linked to China’s state-backed hackers and noted that the time between the availability of security patches and exploitation continues to shrink rapidly.
“These examples of newly identified vulnerabilities demonstrate that organizations have on average 60 days from the time a vulnerability is patched and a proof of concept (POC) code is made available online, and often picked up by other actors for reuse,” Microsoft said, pointing to a handful of attacks against software from SolarWinds, Zoho, Confluence and Microsoft’s own Exchange Server product.
[ READ: New Law Will Help Chinese Government Stockpile Zero-Days ]
In the report, Microsoft acknowledges that the number of publicly disclosed zero-day vulnerabilities is the highest on record as malicious hackers — both nation state and criminal –become more skilled at finding and exploiting software bugs before the vendor is even aware of their existence.
So far this year, there have been at least 42 documented in-the-wild zero-day attacks against widely deployed software products, with Microsoft among the oft-targeted vendor list.
“We have observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability,” the company said. “The commoditization of exploits is leading them to come at a much faster rate. Zero-day exploits are often discovered by other actors and reused broadly in a short period of time.”
Microsoft urged defenders to prioritize patching of zero-day vulnerabilities as soon as fixes are available and invest in tools to document and inventory all enterprise hardware and software assets to determine risk and to quickly determine when to act on patches.
Related: Moussouris: U.S. Should Resist Urge to Match China Vuln Reporting
Related: New Law Will Help Chinese Government Stockpile Zero-Days
Related: China May Delay Vulnerability Disclosures For Use in Attacks

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- VMware Plugs Critical Flaws in Network Monitoring Product
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
