Hackers broke into the network of security firm Bit9 and used one of its cryptographic certificates to infect at least three of its customers with digitally signed malware, the company said on Friday afternoon.
The compromise is striking because Bit9's "application whitelisting" approach allows virtually all digitally signed software to run on customers' networks and PCs. Stealing one of its credentials and using it to sign malware all but guarantees it will get a free pass on the systems of customers who use the service. Bit9 is contracted to help secure the networks of the US government and a variety of Fortune 500 companies. The breach was first reported by KrebsonSecurity reporter Brian Krebs.
"Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network," CEO Patrick Morley wrote in a blog post. "As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware."
An investigation into the breach has revealed three customers were affected by the fraudulently signed malware. The stolen certificate has since been revoked so it can't be used to compromise other Bit9 customers. There's no indication that the company's whitelisting products themselves have been compromised, Morley said.
While Morley attributed the compromise to an oversight in installing its product on a small number of PCs, the true cause is much broader. Signing certificates are supposed to be kept in so-called hardware security modules, which are special computers that contain their own cryptography-dedicated processor and a special storage system. These devices are generally segregated from the rest of a company's network to prevent the signing keys they store from being abused in the event of a breach. In November, Ars provided this detailed look at the lengths Symantec goes to secure its valuable signing keys for SSL encryption.
Morley's blog post provided no details about how Bit9's sensitive credentials were stored and whether those measures have been tightened following the breach. He also didn't say whether the Bit9 PCs that were infected were running antivirus software and whether the network was outfitted with other types of security protection, such as intrusion prevention systems. His explanation also smacks of PR shenanigans because it suggests Bit9's only mistake was failing to ensure its product was installed on all its computers. Bit9 marketers have long lauded their product as a superior security offering over antivirus protection.
It's not the first time crooks have abused the imprimatur of a widely trusted digital credential to validate malware. In September, Adobe Systems revoked one of its code signing certificates after hackers compromised a build server used to compile and package the company's applications. Victims who encountered the malware signed by the key received a cryptographically validated assurance that the software was a legitimate offering from Adobe, significantly increasing the chances that they'd be tricked into installing it.
Remember RSA hack?
The Bit9 compromise also has parallels to the 2011 breach of EMC security division RSA. There's no evidence that hackers in that attack considered RSA the primary target. Rather, they used the intrusion to steal proprietary data related to RSA SecurID tokens that millions of people use to log in to government and corporate networks. In the weeks following the attack, defense contractor Lockheed Martin said a breach of its network was aided by the theft of confidential RSA data.
In a similar vein, it seems likely that attackers targeted Bit9 to infect its customers' networks. The incident is an important reminder that there are significant limitations to the type of security service Bit9 provides.
"Whitelisting does not tell if software is benign, malicious, or even exploitable," said Randy Abrams, Research Director of NSS Labs, a firm that tests security products and writes analysis of security. "It tells you that the application was approved."
Story updated to change language describing NSS Labs in the last paragraph.
reader comments
27