[BreachExchange] Mitsubishi Electric Blames Anti-Virus Bug for Data Breach

[Destry Winant]

https://www.databreachtoday.com/mitsubishi-electric-blames-anti-virus-bug-for-data-breach-a-13628

Mitsubishi Electric says hackers exploited a zero-day vulnerability in
its anti-virus software, prior to the vendor patching the flaw, and
potentially stole trade secrets and employee data.

The Japanese multinational firm's Monday announcement arrives more
than six months after the company says it first detected the breach on
June 28, 2019.

"We have confirmed that trade secrets may have been leaked to the
outside," Mitsubishi Electric says in a statement. "To date, no damage
or impact related to this case has been confirmed."

There's irony, of course, in a company falling victim to a data breach
because attackers exploited its security software. But security
researchers have continually warned that security software is like any
other software, in that it can contain unknown vulnerabilities that
hackers can sometimes exploit to their own advantage (see: Devastating
Flaw Found in Microsoft's AV Engine).

Mitsubishi Electric is one of Japan's largest companies, making a
broad range of products, including turbines and nuclear power and
satellite equipment. It also has a considerable consumer product line,
including air conditioners and LCD televisions.

Hackers Erased Log Files

The Japanese firm says that after it detected unauthorized access, it
restricted external access to its systems. But the resulting
investigation was hampered by a lack of log files, which the company
says "were erased by the hackers."

Mitsubishi Electric says data it believes was exposed during the
attack includes records belonging to 1,987 job applicants, employee
data for 4,566 new graduate recruitment applicants, information on
1,569 retired employees, as well as corporate-confidential technical
and sales materials.

The company says it started notifying breach victims via email and
postal mail on Monday.

Left unanswered by Mitsubishi Electric is the question of what
anti-virus software the company uses, the timeline of the attack, or
how long it took the company to detect the intrusion after it
happened. Mitsubishi Electric didn't respond to a query from
Information Security Media Group.

But a case study from 2015 published by Trend Micro says that
Mitsubishi Electric Information Systems Corp., which oversees IT for
Mitsubishi Electric Group, used some of its products. Trend Micro
didn't respond to a request for comment.

As with every type of software, flaws sometimes crop up in Trend Micro
products that require patching. In January 2016, for example, the
company patched a flaw in one of its consumer products that it said
attackers could have exploited to run any code on a user's machine
(see: Yes Virginia, Even Security Software Has Flaws).

Mitsubishi Electric Has Used Trend Micro

According to the 2015 case study, products used by Mitsubishi Electric
Information Systems Corp. included OfficeScan, which is endpoint
detection software that uses multiple techniques - including machine
learning, reputation analysis and behavioral analysis - to detect
malware. The company also used Trend's Deep Discovery Email Inspector,
which aims to detect targeted attacks, including those using malicious
compressed files.

The case study describes Mitsubishi Electric's problem before using
Trend Micro's software as having "difficulty defending against
sophisticated email attacks disguised zero-day malware as legitimate
traffic from customers and suppliers."

The age of the case study, however, means that Mitsubishi Electric may
have long moved on from using Trend Micro's products. Also, large
companies tend to use a variety of security products, so the problem
could lie elsewhere.

Japanese national newspaper Asahi Shimbun reports that Mitsubishi
Electric believes that the gang behind the attack is affiliated with a
Chinese advanced persistent threat group called "Tick."

In November 2019, Trend Micro published a detailed report on Tick, aka
Bronzebutler or Rebaldknight. The report describes a campaign that
Trend Micro dubbed Endtrade, which ran throughout last year.

Trend Micro's timeline for Operation Endgame, which it believes was
carried out by a hacking group called Tick

"Tick targets companies in defense, aerospace and satellite
industries, specifically those with head offices in Japan and
subsidiaries in China," Trend writes.

The group regularly practices spear phishing, meaning it often steals
email account credentials and then uses the compromised accounts to
send malware. Trend Micro notes that the group's emails are often
written in correct Japanese, and also that the attackers have
developed "new malware families capable of detection evasion for
initial intrusion."

In addition, Tick appears to have devoted time and resources to
finding ways to bypass Trend Micro software defenses. "They have also
incorporated techniques and mechanisms for detecting specific
cybersecurity products and processes, as well as attempt to terminate
a Trend Micro product's process," according to the security firm's
report.

Not a Timely Breach Notification

Mitsubishi Electric's data breach notification arrives more than six
months after the company says it detected the intrusion.

Legally, however, it appears to be in the clear. Law firm DLA Piper
says Japanese organizations aren't required to report data breaches to
the country's Personal Information Protection Commission or to
victims. But the PPC does recommend that organizations do so, and DLA
Piper writes that it is standard market practice to do so.

In April 2018, furthermore, Mitsubishi Electric pledged to follow
"timely and appropriate information disclosure" in regards to data
breaches.

Mitsubishi Electric's security operations center (Photo: Mitsubishi Electric)

"In the unlikely event that valuable information or confidential
corporate information entrusted to us by others were to leak, this
would not only cost the trust and confidence invested in the company,"
it says. "The improper use of this information could also threaten
national, societal and individual security."

At some point, Mitsubishi Electric did inform the Japanese government
about the breach, Japan Times reports. According to the publication,
Chief Cabinet Secretary Yoshihide Suga said the company has "confirmed
there is no leak of sensitive information regarding defense equipment
and electricity."

Mitsubishi Electric has made recent moves to strengthen its
information security practices. In April 2019, the company created a
Product Security Incident Response Team, which handles security issues
with its products and services, according to its Information Security
Report, which was published in July 2019. The company's PSIRT also
runs a 24/7 security operations center.