Bit9 hacked, its certificates stolen and used to sign malware
Bit9, a security firm that provides software reputation, application control and whitelisting services to companies in the financial, technology, government and other sectors, has announced on Friday that it has suffered a breach that resulted in three of its customers to be infected with malware.
“Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware,” explained Bit9’s Patrick Morley.
“There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised. We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9.”
The company reacted by revoking the affected certificate, making sure that Bit9 is installed on all of its physical and virtual machines, and will be issuing a patch for its software that will automatically detect and stop the execution of any malware that illegitimately uses the compromised certificate.
Security experts have pointed out that this attack is similar to the one RSA experienced in March 2011, when the attackers were after information that would allow them to break the protection the company’s SecurID tokens offered to customers.
It is widely believed that the RSA hack was executed in order to make it possible to ultimately attack a slew of US military contractors. In the case of Bit9, it is still unknown which of their customers have been ultimately targeted.
Bit9 has been touting its whitelisting approach as the right solution for blocking targeted attacks with specially made malware, which is rarely stopped by anti-virus solutions currently offered on the market. Unfortunately for them, it has now been proven that every approach – even theirs – has weaknesses.
If this successful attack has shown anything, is that there is no one solution that will be effective against all threats, and that a multilayer approach to defense is a must in the current threat landscape.
It has also proven that even if you might consider your defenses to be adequate, those of your partners and collaborators might not be and can provide a wide enough hole in your perimeter to allow the attackers in.