Mitsubishi Electric Blames Anti-Virus Bug for Data BreachHackers Exploited AV Software Zero-Day Vulnerability Before Vendor Patched Flaw
Mitsubishi Electric says hackers exploited a zero-day vulnerability in its anti-virus software, prior to the vendor patching the flaw, and potentially stole trade secrets and employee data.
The Japanese multinational firm's Monday announcement arrives more than six months after the company says it first detected the breach on June 28, 2019.
“We have confirmed that trade secrets may have been leaked to the outside,” Mitsubishi Electric says in a statement. “To date, no damage or impact related to this case has been confirmed.”
There’s irony, of course, in a company falling victim to a data breach because attackers exploited its security software. But security researchers have continually warned that security software is like any other software, in that it can contain unknown vulnerabilities that hackers can sometimes exploit to their own advantage (see: Devastating Flaw Found in Microsoft's AV Engine).
Mitsubishi Electric is one of Japan’s largest companies, making a broad range of products, including turbines and nuclear power and satellite equipment. It also has a considerable consumer product line, including air conditioners and LCD televisions.
Hackers Erased Log Files
The Japanese firm says that after it detected unauthorized access, it restricted external access to its systems. But the resulting investigation was hampered by a lack of log files, which the company says “were erased by the hackers.”
Mitsubishi Electric says data it believes was exposed during the attack includes records belonging to 1,987 job applicants, employee data for 4,566 new graduate recruitment applicants, information on 1,569 retired employees, as well as corporate-confidential technical and sales materials.
The company says it started notifying breach victims via email and postal mail on Monday.
Left unanswered by Mitsubishi Electric is the question of what anti-virus software the company uses, the timeline of the attack, or how long it took the company to detect the intrusion after it happened. Mitsubishi Electric didn’t respond to a query from Information Security Media Group.
But a case study from 2015 published by Trend Micro says that Mitsubishi Electric Information Systems Corp., which oversees IT for Mitsubishi Electric Group, used some of its products. Trend Micro didn’t respond to a request for comment.
As with every type of software, flaws sometimes crop up in Trend Micro products that require patching. In January 2016, for example, the company patched a flaw in one of its consumer products that it said attackers could have exploited to run any code on a user's machine (see: Yes Virginia, Even Security Software Has Flaws).
Mitsubishi Electric Has Used Trend Micro
According to the 2015 case study, products used by Mitsubishi Electric Information Systems Corp. included OfficeScan, which is endpoint detection software that uses multiple techniques - including machine learning, reputation analysis and behavioral analysis - to detect malware. The company also used Trend’s Deep Discovery Email Inspector, which aims to detect targeted attacks, including those using malicious compressed files.
The case study describes Mitsubishi Electric's problem before using Trend Micro’s software as having “difficulty defending against sophisticated email attacks disguised zero-day malware as legitimate traffic from customers and suppliers.”
The age of the case study, however, means that Mitsubishi Electric may have long moved on from using Trend Micro's products. Also, large companies tend to use a variety of security products, so the problem could lie elsewhere.
Japanese national newspaper Asahi Shimbun reports that Mitsubishi Electric believes that the gang behind the attack is affiliated with a Chinese advanced persistent threat group called “Tick.”
In November 2019, Trend Micro published a detailed report on Tick, aka Bronzebutler or Rebaldknight. The report describes a campaign that Trend Micro dubbed Endtrade, which ran throughout last year.
"Tick targets companies in defense, aerospace and satellite industries, specifically those with head offices in Japan and subsidiaries in China,” Trend writes.
The group regularly practices spear phishing, meaning it often steals email account credentials and then uses the compromised accounts to send malware. Trend Micro notes that the group's emails are often written in correct Japanese, and also that the attackers have developed “new malware families capable of detection evasion for initial intrusion.”
In addition, Tick appears to have devoted time and resources to finding ways to bypass Trend Micro software defenses. “They have also incorporated techniques and mechanisms for detecting specific cybersecurity products and processes, as well as attempt to terminate a Trend Micro product’s process,” according to the security firm's report.
Not a Timely Breach Notification
Mitsubishi Electric's data breach notification arrives more than six months after the company says it detected the intrusion.
Legally, however, it appears to be in the clear. Law firm DLA Piper says Japanese organizations aren’t required to report data breaches to the country's Personal Information Protection Commission or to victims. But the PPC does recommend that organizations do so, and DLA Piper writes that it is standard market practice to do so.
In April 2018, furthermore, Mitsubishi Electric pledged to follow “timely and appropriate information disclosure” in regards to data breaches.
“In the unlikely event that valuable information or confidential corporate information entrusted to us by others were to leak, this would not only cost the trust and confidence invested in the company,” it says. “The improper use of this information could also threaten national, societal and individual security.”
At some point, Mitsubishi Electric did inform the Japanese government about the breach, Japan Times reports. According to the publication, Chief Cabinet Secretary Yoshihide Suga said the company has “confirmed there is no leak of sensitive information regarding defense equipment and electricity.”
Mitsubishi Electric has made recent moves to strengthen its information security practices. In April 2019, the company created a Product Security Incident Response Team, which handles security issues with its products and services, according to its Information Security Report, which was published in July 2019. The company's PSIRT also runs a 24/7 security operations center.