The whitelisting security vendor's CEO, Patrick Morley, late Friday announced via a blog post that the company had suffered a breach that exposed one of its digital code-signing certificates to the attackers, who then used it to sign malware, affecting three of its customers. Morley said an "operational oversight" led to the breach, with a handful of computers on its network running without the company's own product.
"We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9," he said. "There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised," and the company revoked the compromised certificate and issued a new one.
Bit9 plans to issue a patch to automatically detect and stop execution of any malware that uses the phony certificate, and is monitoring its Software Reputation Service for hashes from that malware. The breach follows that of RSA two years ago, of certificate authorities such as DigiNotar and Comodo, as well as the Flame cyberespionage malware's attack on weak encryption used in Microsoft's Terminal Services, which led to the creation of rogue digital certificates posing as Microsoft-signed ones.
Security vendors -- like defense contractors, the financial services industry, and, now, the media -- are in the bull's eye of targeted attack campaigns as well. That, of course, should come as no surprise since their technology, if compromised, can then be used to help hack into their customers' networks. So like other vertical industries, security vendors need to band together and fight back by sharing attack information they get from their experiences, security experts say, even if it means potentially giving up a little competitive edge by sharing that attack information.
"When an industry as a whole is under attack, it needs to be rethinking these priorities," says Scott Crawford, managing research director at Enterprise Management Associates. "The security industry really needs to take a page from" the financial services industry's formalized intelligence-sharing, for example, he says.
"Security and technology vendors are going to compromised," says Crawford, who also blogged today that security vendors as a whole need to respond to this threat against them.
Some security vendors already do share information about attacks they have experienced or deflected -- but it's a mostly ad-hoc and fairly limited process. Websense, for example, is a member of several vetted lists and forums where vendors share information, says Chris Astacio, manager of security research for Websense.
"A certain amount of research and information gets shared [this way]," Astacio says. "These types of supply-chain attacks where security companies are attacked so the [attacker] can then take on a customer of theirs should garner the same amount of research and sharing of research" as malware research does.
Astacio says security vendors should band together in the face of targeted attack campaigns against their industry much like other vertical industries do. Attacks such as that of Bit9 and others demonstrate how advanced persistent threat (APT) actors are trying to get the goods from their ultimate targets via their security suppliers, he says. "They are going to be more brazen and brash," Astacio says.
The time has come for the security vendor community to step up and acknowledge the problem, security experts say. "Just because you're a security company doesn't mean you're immune or have a magic force field anyone can't get through," says Brian Honan of BH Consulting and a member of the Irish CERT. "You need to make sure you can't be used as a point to attack your clients because they trust you to keep them secure ... Bit9 didn't have their own software installed on their computers: That's a glaring issue."
More than likely Bit9 is not the only security company under attack right now, experts say. "If these are motivated attackers, they are not going to stop," Honan says. "They will just move on to the next target and opportunity and see how they can leverage it."
Bit9 didn't share many details of the impact on its three customers who received the signed malware, but the Bit9 digital signature could have allowed that malware to pass as Bit9-whitelisted application.
"So the malware would be recognized and accepted by the client's machine as legitimate, and it would then install malware on those machines," says Honan, who posted a blog today on lessons learned from the breach. "Then it would give the attackers remote access to those machines and some way to control those machines, and use them to maybe attack further."
[Certificate authority Turktrust details internal errors that led to phony digital certificates. See Errant Google Domain Traced To CA's Mistakes.]
Meanwhile, critics say whitelisting comes with its inherent weaknesses, such as keeping white lists "patched," notes John Prisco, president and CEO of Triumfant.
"You have to patch the application and therefore patch the whitelist. If you're not diligent about it, it can be exploited, as in the case of Bit9. Whitelisting is still based on prior knowledge; therefore it is susceptible. A system that is based on prior knowledge can always be exploited by a determined adversary," Prisco says. "Unless you have an anomaly-based analytics system on the endpoint that can see fundamental changes that can signal malware attacks, you will always be beaten."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.