Edition Zdnet reports that according to unnamed sources close to the investigation, the recent hack by Mitsubishi Electric and the subsequent data leak were related to the exploitation of the zero-day vulnerability in the Trend Micro antivirus.
Let me remind you that last week it became known about the compromise of Mitsubishi Electric, one of the world's largest manufacturers of electronics and electrical equipment. Although the incident occurred last year, on June 28, 2019, a formal internal investigation did not begin until September, and details of what happened were only recently disclosed.
Hackers stole confidential data from the company's internal network. In particular, they hacked “dozens of computers and servers in Japan and abroad,” from which they stole approximately 200 MB files (mainly business documents, information about employees and job candidates).
Now that the hacking has become known, the Japanese media began to study the situation. According to them, the hacking occurred in the Chinese branch of Mitsubishi Electric, and then spread to 14 other divisions of the company. The intrusion was discovered after Mitsubishi Electric employees noticed a suspicious file on one of the servers. Also, Japanese media report that the responsibility for this incident lies with the state-sponsored Chinese cyber-spy group Tick.
So far, Mitsubishi Electric representatives have not commented on these new details, and the only known technical fact: hackers exploited a vulnerability in one of the antivirus products that the company used. A source told ZDNet that cybercriminals used the CVE-2019-18187 bug, an anti-virus vulnerability with directory traversal and arbitrary file downloads. Trend Micro OfficeScan.
This problem has already been fixed, but in October last year, Trend Micro developers wrote that a directory bypass vulnerability could be used to extract ZIP archive files to a folder on the OfficeScan server, which could potentially lead to remote code execution. Even worse, then Trend Micro warned its customers that the vulnerability was already actively used by hackers.