Earlier last week, Japanese manufacturer Mitsubishi Electric disclosed that it had suffered a security breach in June last year, which saw hackers access personal employee information and corporate materials.
Local media reports related that the attackers – speculated to be members of a Chinese state-sponsored hacking group known as “Tick” – were able to exploit a zero-day vulnerability in one of the anti-virus products Mitsubishi Electric was using, Trend Micro’s OfficeScan.
Data stolen in the attack included almost 2000 employment applications, the results of an employee survey completed by 4,566 people, details on 1,569 Mitsubishi Electric staff who retired between 2007 and 2019, and corporate information including confidential technical documents and sales materials.
A ZDNet report suggests that the vulnerability exploited by Mitsubishi’s hackers was CVE-2019-18187, a directory traversal and arbitrary file upload vulnerability in Trend Micro OfficeScan that was fixed in October 2019.
Trend Micro has previously boasted in its marketing materials that Mitsubishi Electric is one of its customers.
It’s obviously extremely embarrassing for any security company to be found to have played an unwitting part in a successful hack, but the truth is that any sophisticated piece of software is likely to have bugs – there’s nothing magic about anti-virus software that means it is somehow impervious to exploitation.
Other security firms would be wise not to show too much gloating at Trend Micro’s misfortune, as it could be them in the firing line next time.
The real culprits here are not the anti-virus company whose product was exploited by hackers, but the hackers themselves.