Various Chinese media outlets report that Alibaba Cloud is experiencing fallout from government regulators after informing the Log4J vulnerability to Apache before the Ministry of Industry and Information Technology (MIIT).
China regulator suspends cyber security deal with Alibaba Cloud https://t.co/6n1uZ1Rkg7
— Reuters China (@ReutersChina) December 23, 2021
According to 21st Century Business Herald, the Cyber Security Administration of the MIIT was discontinuing its information-sharing alliance with Alibaba Cloud for six months, specifically mentioning the reason behind such action as the letdown to report Log4J on time.
Chen Zhaojun, a security engineer at Alibaba Cloud, was the first to uncover the Log4J vulnerability and notify Apache. He informed Apache on November 24, and a third party also informed the same MIIT via report.
According to The Protocol, China recently enacted a new law requiring all companies to report vulnerabilities (like Log4J) to state regulators within two days. Unfortunately, this recent setback from MIIT comes months after the Chinese government imposed stricter vulnerability disclosure regulations.
Alibaba was charged with an 18.2 billion Yuan fine, and 33 other mobile apps have encountered objections from Beijing for their data collection policies. At the same time, Alibaba and Tencent have come under severe government scrutiny, while Didi has faced a major cybersecurity review.
The Belgian Defence Ministry recently suffered a cyberattack due to Log4J vulnerability. Check Point; an Israeli security firm confirmed that it had barred over 4.3 million exploitation shots so far, with 46% of those intrusions made by known malicious groups.
According to Check Point:
This vulnerability may cause the device to be remotely controlled, which will cause serious hazards such as theft of sensitive information and device service interruption, the MIIT had previously said in a public statement published on December 17, adding it was only made aware of the flaw on December 9, 15 days after the initial disclosure.
In September, the government launched “cyberspace security and professional vulnerability databases” to notify security vulnerabilities in networks, mobile apps, industrial control systems, smart cars, IoT devices, and other internet products that threat actors could target.
In November, the Cyberspace Administration of China disclosed a new set of regulations that classified data and presented numerous sets of penalties for breaches of cybersecurity policy.
MIIT did confirm that it received a report from a third party about the issue instead of the Alibaba Cloud. However, Alibaba Cloud has declined to comment on the suspension.