Bit9 Network Attacked, Technology Used to Spread Malware
Security vendor Bit9 revealed late last week that its corporate network had been attacked by cyber intruders who used the company’s technology to spread malware to its customers. In the attack, first reported at Krebs on Security, and subsequently acknowledged by Bit9, some victimized Bit9 customers received malware digitally signed by the vendor’s encryption keys, what the security vendor termed “illegitimately signed malware.”
In an ironic twist, Bit9’s security stock in trade is certifying safe software by clearing only those applications that companies want employees to run and barring everything else as potentially lethal. As described by Brian Krebs, Bit9 specializes in “application whitelisting,” basing its technology on the notion that anti-virus security software cannot keep pace with the variations of malware flooding the Internet. Instead, the company’s encryption software blocks applications not approved by an organization but trusts anything carrying the Bit9 signature, as was the case with the company’s own intrusion.
With a little egg on its face, Bit9 said it failed to install its own software on some machines residing on its network. Three customers reported malware intrusions, said Patrick Morley, Bit9 president and chief executive, in a blog post.
“Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network,” wrote Morley. “As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised.”
Morley acknowledged Bit9’s culpability in the attack. “We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9,” he wrote. “Our investigation indicates that only three customers were affected by the illegitimately signed malware. We are continuing to monitor the situation. While this is an incredibly small portion of our overall customer base, even a single customer being affected is clearly too many.”
As Krebs pointed out, there are widespread implications from this type of attack. Bit9’s customers include top aerospace and defense suppliers and some 20 federal, civilian, defense and intelligence agencies, according to the company’s website. By going after Bit9 directly, the attackers openly derided the vendor’s technology and some weaknesses inherent in anti-virus whitelisting.
Morley said Bit9 is aggressively responding to the incident. “Since we discovered this issue, we have been working closely with all of our customers to ensure they are no longer vulnerable to malware associated with the affected certificate,” he wrote. He said the company revoked the affected certificate and acquired a new one, eliminated the operational issue that led to the illegal access to the certificate, made sure the Bit9 technology is installed on all of the company’s physical and virtual machines, is finalizing a product patch to automatically block malware that illegitimately uses the certificate, and, proactively monitoring the Bit9 Software Reputation Service for hashes from the illegitimately signed malware.
“While we (and we hope our customers) are comforted somewhat by the fact that this incident was not the result of an issue with our product, the fact that this happened—even to us—shows that the threat from malicious actors is very real, extremely sophisticated, and that all of us must be vigilant. We are confident that the steps we have taken will address this incident while preventing a similar issue from occurring again,” Morley wrote.