“Deep irony”, as hackers use security vendor Bit9 to spread malware
Security vendor Bit9 has said it will release some details on a hack into the company’s systems, disclosed on Friday, which resulted in malicious code being installed on the networks of its customers.
Hackers were able to gain use of Bit9’s trusted certificate, used by the company’s whitelisting software to validate legitimate programs, and used it to sign malware which was later found on the systems of three Bit9 customers, the company said.
The certificate meant the malicious code went undetected by Bit9’s security software, only to be later caught by other security tools, Bit9 said.
The company has shared cryptographic hashes for the fraudulently signed files and will release more network information, as well as files and tactics, according to Bit9 chief technology officer Harry Sverdlove.
“For anyone who has ever been involved in an investigation of this type, you know that absolute or complete information is not always possible, so I can’t promise that every puzzle piece will be revealed,” Sverdlove wrote in a blog post on Saturday.
Sverdlove said the attack appeared to be a focused effort rather than a campaign to spread malware broadly. “We can only speculate, but we believe the attack on us was part of a larger campaign against a particular and narrow set of companies,” he wrote.
Bit9 says it has more than 1,000 customers, including large banking, energy, aerospace, military and US federal government organisations.
Following a report by security expert Brian Krebs, Bit9 chief executive Patrick Morley disclosed the hack on Friday, stating that due to an “operational oversight” the company had failed to install its own product on “a handful” of its own computers.
“We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9,” Morley said in a blog post.
He emphasised that the flaw exploited by the hackers was in the security of Bit9’s certificate servers, and not in the software itself.
Bit9 said it has now revoked the certificate in question, applied the missing security to the certificate servers and plans to issue a patch for its software which will detect the malware involved in the compromise.
“The fact that this happened – even to us – shows that the threat from malicious actors is very real, extremely sophisticated, and that all of us must be vigilant,” Morley wrote. “We are confident that the steps we have taken will address this incident while preventing a similar issue from occurring again.”
All activity on the company’s systems is monitored by a security operation centre with full-time staff, he said, and Bit9 also submits to regular third-party audits.
Krebs, who first reported the hack, remarked that the malware involved was probably detected by traditional antivirus products of the sort that Bit9 competes against with its whitelisting tools.
“There may be deep irony in this attack,” Krebs wrote.
Last summer hackers used an unauthorised Microsoft digital certificate to help spread the Flame malware, a cyber-espionage toolkit that incorporates a wide range of functionality, including intercepting web traffic, recording audio and taking screenshots. Flame is widely considered to be the product of a nation-state, and has infected systems in Iran and Israel.
In March 2011 RSA said hackers – again believed to be sponsored by a nation-state – had mounted an attack on its SecurID tokens, which generate one-off passcodes for logging into enterprise systems.
Are you a security pro? Try our quiz!