The Japanese electronics giant Mitsubishi Electric disclosed a hack last week. It now turns out that the attackers exploited a vulnerability in their antivirus program for the attack. Specifically, they exploited a zero-day bug in the Trend Micro OfficeScan antivirus.
Mitsubishi Electric Hack Last Year
The Japanese vendor Mitsubishi Electric declared a network hack last week in a press release. As revealed at the time (through the translated version of the press release), their network suffered the attack in June 2019. As a result, their system exposed data to the attackers, including “personal information and corporate confidential information”. They did specify that the incident did not expose any important data relating to business partners. However, they did not reveal much technical detail about the incident.
Then in an updated press release, they confirmed that the incident occurred due to unauthorized access to their network and may have leaked some “trade secrets”.
According to the (translated version of) the press release, some 200 MB of files was exposed that included data such as employment applicant information (1987 people), employee information (4566 people), and data related to retired employees of affiliate companies (1569 people). It also included some corporate data such as “technical material, sales materials, etc.”.
Furthermore, they also explained the cause behind the attack, which turned out to be a bug in their antivirus. As stated (translated),
The third (party) that exploited the vulnerability before the release of the security patch of the antivirus system used by our company.
This is due to unauthorized access by the user.
About Trend Micro Bug
Recently, ZDNet revealed that the attackers may have exploited a zero-day vulnerability (CVE-2019-18187) in the Trend Micro OfficeScan antivirus. It was a serious directory traversal vulnerability affecting the Trend Micro OfficeScan 11.0 SP1 and XG that could allow remote code execution. As described in their advisory:
Affected versions of OfficeScan could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to a web service account, which depending on the web platform used may have restricted permissions. An attempted attack requires user authentication.
Trend Micro also confirmed “attempts of potential attacks against this vulnerability”, thus urging customers to update if they are running the vulnerable software.
It seems likely that the attackers had exploited the Trend Micro antivirus program bug to hack Mitsubishi systems. Nonetheless, official comments on this speculation are yet to arrive.
Let us know your thoughts in the comments.