Hackers tried to exploit two zero-days in Trend Micro antivirus products, the company said in a security alert this week.
The Japanese antivirus maker has released patches on Monday to address the two zero-days, along with three other similarly critical issues (although, not exploited in the wild).
According to the alert, the two zero-days impact the company’s Apex One and OfficeScan XG enterprise security products.
Trend Micro did not release any details about the attacks.
These two zero-days mark the second and third Trend Micro antivirus bugs exploited in the wild in the last year.
In the summer of 2019, Chinese state-sponsored hackers used a Trend Micro OfficeScan zero-day (CVE-2019-18187) in an attack on Japanese electronics firm Mitsubishi Electric.
It is unclear if the two zero-days disclosed this week are related to last year’s zero-day or if they’re being exploited by the same hacker group (known as Tick).
Zero-day details
Per Trend Micro’s security bulletin, the two zero-days are:
1. CVE-2020-8467: CVSS 9.1 (CRITICAL) – A migration tool component of Trend Micro Apex One and OfficeScan contains a vulnerability which could allow remote attackers to execute arbitrary code on affected installations (RCE). An attempted attack requires user authentication.
2. CVE-2020-8468: CVSS 8.0 (HIGH) – Trend Micro Apex One and OfficeScan agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication.
The only thing we can glean from the details above is that the zero-days required hackers to have valid credentials for a victim’s workstations, which means they were most likely deployed in a post-compromise scenario after hackers had already infiltrated a company’s internal network.
The two zero-days were most likely used to either disable the security products or elevate the attackers’ privileges on machines running the two Trend Micro antivirus products.
Three other major issues
However, despite being exploited in live attacks, the two zero-days were not the worst bugs detailed in Trend Micro recent security bulletin.
The company also warned about the presence of three other vulnerabilities, all of which received a severity rating of 10 out of 10 on the CVSSv3 vulnerability scale.
According to this rating, these vulnerabilities can be exploited remotely over the internet, require no authentication, and allow full control over the antivirus (and inherently the underlying operating system). Per Trend Micro, the three issues that also need just as much attention as the two zero-days are:
3. CVE-2020-8470: CVSS 10 (CRITICAL) – Trend Micro Apex One and OfficeScan server contains a vulnerable service DLL file that could allow an attacker to delete any file on the server with SYSTEM level privileges. Authentication is not required to exploit this vulnerability.
4. CVE-2020-8598: CVSS 10 (CRITICAL) – Trend Micro Apex One and OfficeScan server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges. Authentication is not required to exploit this vulnerability.
5. CVE-2020-8599: CVSS 10 (CRITICAL) – Trend Micro Apex One and OfficeScan server contain a vulnerable EXE file that could allow a remote attacker to write arbitrary data to an arbitrary path on affected installations and bypass ROOT login. Authentication is not required to exploit this vulnerability.
Trend Micro credited its own researchers for discovering the two zero-days and the three other vulnerabilities.
The company began paying closer attention to bugs in its products after Chinese hackers exploited its antivirus in the Mitsubishi Electric hack last year.
These efforts culminated last month, in February 2020, when Trend Micro announced it was interested in acquiring bug reports for vulnerabilities in three of its major antivirus products (Apex One, OfficeScane, Deep Security) from independent researchers via its Zero-Day Initiative bug acquisition platform.