Anti-Virus Exploited During Mitsubishi Cyberattack

Hackers have utilised a zero-day vulnerability in popular anti-virus product during attack on Mitsubishi Electrical.

According to ZDNet, sources close to the ongoing investigations of the Mitsubishi Electrical cyberattack have indicated that attackers exploited a zero-day vulnerability in the popular anti-virus product, Trend Micro OfficeScan.

In a press release published on its website, Mitsubishi said it detected an intrusion on its network last year, on June 28th 2019. Reports suggest that the initial discovery was triggered by staff who found suspicious files on a server.

What is a Zero-Day?

A zero day vulnerability is a software vulnerability that is either unknown or unaddressed by the vendor. In this particular instance, Trend Micro released a software patch for the vulnerability (CVE-2019-18187) in October 2019 but for Mitsubishi, this was already too late. Alongside the patch, Trend Micro also published a warning to customers stating that the vulnerability was being actively exploited by hackers in the wild.

Trend Micro Advisory

Who Was Responsible?

Initial reports are suggesting a Chinese hacking group was responsible, with Japanese media stating that the attack was the work of a Chinese-state backed hacking group called Tick. Tick, also tracked as Bronze Butler are an Advanced Persistent Threat group, primarily targeting organisations in Japan and South Korea.

Prevention is not the Cure

While organisations often rely primarily on preventative security controls, this attack further highlights the need for comprehensive detective measures. Adversaries craft and design attacks to bypass preventative controls such as anti-virus, email filtering and firewalls and without solid detection capabilities such as EDR and network monitoring, it is often impossible to identify attacks until its too late.