On April 21st, US-Japanese cybersecurity company Trend Micro disclosed that a threat actor are exploiting a known vulnerability in several of its antivirus products (Apex One, Apex One as a Service, OfficeScan XG SP1, Worry-Free Business Security, and Worry-Free Business Security Services) aimed at enterprise customers in order to gain administrator privileges on Windows systems.
Technical Detail & Additional Information
WHAT IS THE THREAT?
The vulnerability, tracked by NIST as CVE-2020-24557, was discovered last year by a researcher at Microsoft who privately reported the issue to Trend Micro. Trend Micro released patches for its affected products in August 2020 but recently discovered that a threat actor had exploited the vulnerability on customers who had not deployed the appropriate patches.
The vulnerability is caused by a flaw in the logic that controls access to the Misc folder, which can be exploited by an attacker to temporarily disable security features, escalate privileges, and execute code in the context of SYSTEM. While the bug cannot be used to break into systems, it can be used as one step in a multi-stage attack where an attacker has already obtained the ability to execute low-privileged code on the victim’s machine and is looking to take full control.
WHY IS IT NOTEWORTHY?
It is believed that the vulnerability was exploited by an advanced persistent threat (APT), a term that refers to state-sponsored cyber-espionage groups. CVE-2020-24557 is now the fourth vulnerability in this suite of Trend Micro products to have been exploited by an APT, the first three having been abused in 2019-2020 by a Chinese cyber-espionage group targeting Mitsubishi Electric. This incident provides an alarming data point in a pattern of attacks by state actors exploiting security products used by enterprise customers. Security products, perhaps unexpected sources of vulnerabilities to customers who use them to elevate their cybersecurity posture, are ideal targets for threat actors who seek to exploit their central and privileged positions in corporate networks; therefore, it is important to keep them patched and updated like any other software.
WHAT IS THE EXPOSURE OR RISK?
The vulnerability exists in Trend Micro Apex One, Apex One as a Service, OfficeScan XG SP1, Worry-Free Business Security, and Worry-Free Business Security Services products that have not been properly patched. Version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates the exposure on the Windows side of the vulnerability, but previous versions may be affected.
WHAT ARE THE RECOMMENDATIONS?
SKOUT recommends implementing the following patches released by Trend Micro for their Apex One and Worry-Free Business Security products. These patches mitigate issues with hard link privilege escalation, out-of-bounds read information disclosure, and improper access control:
If you have any questions, please contact our Security Operations Center.