Hacking victim Bit9 blames SQL injection flaw

The company's breach came after it failed to install its own security software
  • Jeremy Kirk (IDG News Service)
  • — 26 February, 2013 02:47

Bit9 said a common Web application vulnerability was responsible for allowing hackers to ironically use the security vendor's systems as a launch pad for attacks on other organizations.

Based in Waltham, Massachusetts, the company sells a security platform that is designed in part to stop hackers from installing their own malicious software. In an embarrassing admission, Bit9 said earlier this month that it neglected to install its own software on a part of its network, which lead to the compromise.

In a more detailed explanation on its blog on Monday, Bit9 said attackers gained access by exploiting a SQL injection flaw in one of its Internet-facing Web servers. A SQL injection flaw can allow a hacker to enter commands into a web-based form and get the backend database to respond.

The compromise happened around July 2012, wrote Bit9's CTO Harry Sverdlove. Once inside Bit9, the hackers accessed a virtual machine used to digitally sign code for Bit9, a security measure that verifies the company's code is legitimate.

The compromised server was shut down for about six months, but was brought back online in January. Bit9 then discovered the problem. "We took immediate containment and remediation steps, revoked the certificate in question and reached out to our entire customer base," Sverdlove wrote.

The hackers used Bit9's certificate to sign 32 of their own malicious files and scripts. Sverdlove described some of the malware as backdoors with the names "HiKit" and "HomeUNIX."

With Bit9's certificate, the malware would look legitimate to other security software. As its investigation unfolded, Bit9 found that the hackers planted the malware on other websites, constructing what is known as a drive-by-download attack.

That attack would exploit users running outdated versions of Oracle's Java software, which had been found to contain numerous vulnerabilities in recent months.

"We believe the attackers inserted a malicious Java applet onto those sites that used a vulnerability in Java to deliver additional malicious files, including files signed by the compromised certificate," Sverdlove wrote.

All told, three Bit9 customers were attacked, but Sverdlove did not reveal their names. More than 1,000 companies use Bit9's software, including Fortune 500 companies in banking, energy, aerospace and defense and U.S. federal government agencies.

Sverdlove wrote that the attacks appeared to be designed to "infiltrate select US organizations in a very narrow market space." Utilities, banks and government entities were not affected, he wrote.

Once the malware was installed, it communicated with servers on IP ranges belonging to network providers including New Century InfoComm Tech Co., Ltd. of Taiwan, the Asia Pacific Network Information Centre in South Brisbane, Australia, and Sparkstation in Singapore.

Bit9 said its product code was not affected, but it is reviewing its entire code base. The company also is undergoing a security audit and "addressed the errors that led to the compromise," Sverdlove wrote.

"While we believe Bit9 is the most effective protection you can have on your endpoints, I've always said there is no silver bullet to security," he wrote. "This incident has only fortified what we already knew...the enemy is persistent, sophisticated and motivated.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Tags: intrusion, security, Bit9, Exploits / vulnerabilities, malware

Turkey’s ISPs hijack Google’s DNS service, killing bypass for Twitter, YouTube ban

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Risk Management Solutions

Protect resources and ensure security compliance through incident detection, response, and remediation.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.