Trend Micro anti-virus zero-day exploited in attack on Mitsubishi Electric

Graham Cluley
Graham Cluley
@[email protected]

Trend Micro anti-virus zero-day exploited in attack on Mitsubishi Electric
Earlier last week, Japanese manufacturer Mitsubishi Electric disclosed that it had suffered a security breach in June last year, which saw hackers access personal employee information and corporate materials.

Local media reports related that the attackers – speculated to be members of a Chinese state-sponsored hacking group known as “Tick” – were able to exploit a zero-day vulnerability in one of the anti-virus products Mitsubishi Electric was using, Trend Micro’s OfficeScan.

Data stolen in the attack included almost 2000 employment applications, the results of an employee survey completed by 4,566 people, details on 1,569 Mitsubishi Electric staff who retired between 2007 and 2019, and corporate information including confidential technical documents and sales materials.

A ZDNet report suggests that the vulnerability exploited by Mitsubishi’s hackers was CVE-2019-18187, a directory traversal and arbitrary file upload vulnerability in Trend Micro OfficeScan that was fixed in October 2019.

Sign up to our free newsletter.
Security news, advice, and tips.

Trend Micro has previously boasted in its marketing materials that Mitsubishi Electric is one of its customers.

Case study

It’s obviously extremely embarrassing for any security company to be found to have played an unwitting part in a successful hack, but the truth is that any sophisticated piece of software is likely to have bugs – there’s nothing magic about anti-virus software that means it is somehow impervious to exploitation.

Other security firms would be wise not to show too much gloating at Trend Micro’s misfortune, as it could be them in the firing line next time.

The real culprits here are not the anti-virus company whose product was exploited by hackers, but the hackers themselves.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Trend Micro anti-virus zero-day exploited in attack on Mitsubishi Electric”

  1. RIYAD

    Trend Micro OfficeScan to ApexOne upgrade should be done without delay. Also Trend Micro OfficeScan Product Update patch was not used. People need to keep the wheel running always in the security field.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.