Bit9 rocked by attackers who breach certificates and sign them as malware

News by Dan Raywood

Whitelisting technology vendor Bit9 was hacked at the end of Friday, with hackers accessing its code-signing certificates and enabling them to digitally sign malware to appear as legitimate files.

Whitelisting technology vendor Bit9 was hacked at the end of Friday, with hackers accessing its code-signing certificates and enabling them to digitally sign malware to appear as legitimate files.

According to a blog post on Friday by Bit9 CEO Patrick Morley, the attackers were able to turn Bit9's technology against them by getting a hold of the vendor's digital signatures and then delivering malware to a handful of customers that appeared to be on their trusted list of software.

He said: “Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware.

“There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised.”

Its investigation found that only three unnamed customers were affected by the illegitimately signed malware. “Since we discovered this issue, we have been working closely with all of our customers to ensure they are no longer vulnerable to malware associated with the affected certificate,” he said.

Following the investigation, it said that it had revoked the affected certificate and acquired a new one, eliminated the operational issue that led to the illegal access to the certificate, and ensured Bit9 is installed on all of our physical and virtual machines. It will release a product patch to automatically detect and stop the execution of any malware that illegitimately uses the certificate.

Morley said: “While we (and we hope our customers) are comforted somewhat by the fact that this incident was not the result of an issue with our product, the fact that this happened—even to us—shows that the threat from malicious actors is very real, extremely sophisticated, and that all of us must be vigilant.

“We are confident that the steps we have taken will address this incident while preventing a similar issue from occurring again. We share a common goal with our customers:  defending against the malicious type of activity that caused this incident. We are committed to doing right by our customers and maintaining their full trust and confidence.”

Security blogger Brian Krebs, said: “There may be deep irony in this attack: While Bit9 has made a name for itself based on the reality that anti-virus software cannot keep up with the tens of thousands of new malware variants being unleashed on the internet each day [the company brags that Bit9 is the only security firm to stop both the Flame malware and the RSA breach attack, even before they were identified by traditional/legacy anti-virus companies], there is a better than even chance that the malware signed with Bit9's keys was first detected with traditional anti-virus products. But only time will tell how the initial discovery really played out.”

Security consultant Brian Honan said in a blog post that while it would be ironic if it was anti-virus software that detected the malware sent by Bit9, he said that this incident is a classic example of why relying on one technology to protect your network can be so risky.

“Should that technology fail then your whole security can be undermined.  This is commonly referred to a ‘brittle security', a term coined by Bruce Schneier. It also highlights a phrase I have used with my clients when highlighting the trust they place with staff, partners or vendors; ‘those you trust the most are the ones that can end up hurting you the most',” he said.

“The Bit9 breach is a classic illustration of those two statements in action. Bit9's security was breached because of an “operational oversight” they did not manage to use their own product on all of their systems. It also shows how attackers are now using the supply chain of high value targets to attempt to breach their networks. I have no doubt that this attack, similar to other attacks such as the one against RSA in 2011, was done to leverage the trust Bit9's customers placed in the Bit9 solution.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews