Bit9 says network hacked, blames itself

Bit9 disclosed Friday that hackers had stolen digital code-signing certificates from its network and dropped malware in the systems of three customers, demonstrating how the weakest link in a security chain can sometime be the security vendor.

Bit9 sells technology that prevents any application that is not on a whitelist of approved software from being installed on a customer's computer system. The hackers apparently decided to get around this normally effective mechanism by going after the vendor itself.

The criminals took advantage of an "operational oversight" in which the vendor had failed to install its own product on a handful of computers within its network. "As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware," Bit9 Chief Executive Patrick Morley said in a blog post.

Bit9 said it found no weaknesses in its product, which it said was not compromised. Nevertheless, with the certificate in hand, the criminals were able to sign their malware and install it at three Bit9 customers, the vendor said. Bit9 did not identify the customers.

More than 1,000 organizations worldwide use Bit9 technology, including banks, retailers, energy and defense companies and federal agencies. More than two-dozen of its customers are Fortune 500 companies.

Bit9, which declined comment, did not say how the hackers penetrated its networks. However, the company took responsibility for the security breach. "We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9," Morley said.

The company took a number of steps to close the vulnerability. First, it revoked the stolen certificate and acquired a new one. It also installed its product on all its systems and is monitoring its whitelisting service for hashes from the illegitimately signed malware.

[Also see: With breaches inevitable, 'behaviorial whitelisting' bolsters fight]

Jeremiah Grossman, founder and chief technology officer for website security company WhiteHat Security, said the hackers most likely tried and failed to penetrate the networks of Bit9 customers before turning their attention to the vendor itself.

"The weakest point in the chain is not their product. It's Bit9 the company," Grossman said. "That actually syncs up with what we see in the SSL certificate authority world. Bad guys have difficulty breaking SSL certificates on their own, so they go and target the certificate authority directly."

Stolen code-signing certificates has been used many times in malware before. The infamous Stuxnet malware discovered in 2010 used fraudulent certificates in gaining access to Iranian nuclear facilities. Last year, security companies identified multiple malware threats that used stolen certificates to bypass Windows defenses.

Peter Firstbrook, analyst for Gartner, said Bit9 technology could be used to block malware that contain the certificates. "It is just more time consuming," he said in an email.

Nevertheless, the theft highlights why organizations that need very high security should not trust certificates by themselves. "They have to verify the source of the code and identify it with a hash," Firstbrook said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | MalwarehackBit9app whitelistinglegalsoftwaredata protectioncybercrime

More about Gartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts