Bit9 attack took place five months before detection, company suspects larger campaign

News by Dan Raywood

It was five months before the intrusion at Bit9 was detected.

It was five months before the intrusion at Bit9 was detected.

According to research by security blogger Brian Krebs, hackers breached Bit9 in July 2012, yet this was not discovered until January 2013.

After sharing the hashes of the 33 files that hackers had signed with the stolen certificate and searching for them on VirusTotal, the first match turned up a file called ‘media.exe', which was compiled and then signed using Bit9's certificate on 13 July 2012. The other result was a Microsoft driver file for an SQL database server, which was compiled and signed by Bit9's certificate on 25th July 2012.

Bit9 revealed the attack in January, saying that hackers accessed its code-signing certificates and enabled them to digitally sign malware to appear as legitimate files. Asked about the findings, Bit9 confirmed that the breach appears to have started last summer with the compromise of an internet-facing web server, via an SQL injection attack.

Harry Sverdlove, Bit9's chief technology officer, told Krebs that while the company doesn't take any solace in the research, he said that the good news "is they came after us because they weren't able to come after our customers directly".

Krebs said: “It's not clear why the attackers waited so long to use the stolen certificates, but in any case Bit9 says the unauthorised virtual machine remained offline from August through December, and was only turned on again in early January 2013.

In a blog post, Sverdlove said that it will share more intelligence at the right time, as the investigation is on-going, and that it would not "share details that will compromise our customers or violate confidentiality, nor are we going to share details that will compromise our own security".

He said: “As members of the broader security community, we consider it our responsibility to provide information that can help others protect themselves, raise awareness and aid in any investigations.

“We can only speculate, but we believe the attack on us was part of a larger campaign against a particular and narrow set of companies. I hope we will be able to provide more insight into that so we can all better understand the nature of our cyber enemies.

“There is no easy answer to a world where there are sophisticated actors continuously targeting every company and individual and whose primary goal is to steal information, whether for profit, power or glory. This is not fear-mongering or hype—everyone in the security business knows this fact. This is the state of cyber security today, and we are all frustrated and angered by it.”

The company also announced that a product patch is available, which will automatically protect Bit9 customers from any malware illegitimately signed with the affected Bit9 certificate. This is available from the Bit9 Customer Portal.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews