Trend Micro anti-virus zero-day exploited in attack on Mitsubishi Electric

Graham Cluley
@gcluley


Earlier last week, Japanese manufacturer Mitsubishi Electric disclosed that it had suffered a security breach in June last year, which saw hackers access personal employee information and corporate materials.

Local media reports related that the attackers – speculated to be members of a Chinese state-sponsored hacking group known as “Tick” – were able to exploit a zero-day vulnerability in one of the anti-virus products Mitsubishi Electric was using, Trend Micro’s OfficeScan.

Data stolen in the attack included almost 2000 employment applications, the results of an employee survey completed by 4,566 people, details on 1,569 Mitsubishi Electric staff who retired between 2007 and 2019, and corporate information including confidential technical documents and sales materials.

A ZDNet report suggests that the vulnerability exploited by Mitsubishi’s hackers was CVE-2019-18187, a directory traversal and arbitrary file upload vulnerability in Trend Micro OfficeScan that was fixed in October 2019.

Sign up to our newsletter
Security news, advice, and tips.

Trend Micro has previously boasted in its marketing materials that Mitsubishi Electric is one of its customers.

It’s obviously extremely embarrassing for any security company to be found to have played an unwitting part in a successful hack, but the truth is that any sophisticated piece of software is likely to have bugs – there’s nothing magic about anti-virus software that means it is somehow impervious to exploitation.

Other security firms would be wise not to show too much gloating at Trend Micro’s misfortune, as it could be them in the firing line next time.

The real culprits here are not the anti-virus company whose product was exploited by hackers, but the hackers themselves.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One comment on “Trend Micro anti-virus zero-day exploited in attack on Mitsubishi Electric”

  1. Trend Micro OfficeScan to ApexOne upgrade should be done without delay. Also Trend Micro OfficeScan Product Update patch was not used. People need to keep the wheel running always in the security field.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.