Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/11/2013
04:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bit9 Breach Boosts Calls For Attack Intel-Sharing Among Targeted Security Vendors

Whitelisting company's breach the latest warning sign that security vendors are getting hit by advanced attackers, too

Bit9 is the latest victim in a series of high-profile security vendors that have been hit by targeted attacks that compromised their security technology. This is prompting calls for vendors to unite and share their information in order to better detect and protect against these attacks, which ultimately affect their customers and the overall security infrastructure, as well.

The whitelisting security vendor's CEO, Patrick Morley, late Friday announced via a blog post that the company had suffered a breach that exposed one of its digital code-signing certificates to the attackers, who then used it to sign malware, affecting three of its customers. Morley said an "operational oversight" led to the breach, with a handful of computers on its network running without the company's own product.

"We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9," he said. "There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised," and the company revoked the compromised certificate and issued a new one.

Bit9 plans to issue a patch to automatically detect and stop execution of any malware that uses the phony certificate, and is monitoring its Software Reputation Service for hashes from that malware. The breach follows that of RSA two years ago, of certificate authorities such as DigiNotar and Comodo, as well as the Flame cyberespionage malware's attack on weak encryption used in Microsoft's Terminal Services, which led to the creation of rogue digital certificates posing as Microsoft-signed ones.

Security vendors -- like defense contractors, the financial services industry, and, now, the media -- are in the bull's eye of targeted attack campaigns as well. That, of course, should come as no surprise since their technology, if compromised, can then be used to help hack into their customers' networks. So like other vertical industries, security vendors need to band together and fight back by sharing attack information they get from their experiences, security experts say, even if it means potentially giving up a little competitive edge by sharing that attack information.

"When an industry as a whole is under attack, it needs to be rethinking these priorities," says Scott Crawford, managing research director at Enterprise Management Associates. "The security industry really needs to take a page from" the financial services industry's formalized intelligence-sharing, for example, he says.

"Security and technology vendors are going to compromised," says Crawford, who also blogged today that security vendors as a whole need to respond to this threat against them.

Some security vendors already do share information about attacks they have experienced or deflected -- but it's a mostly ad-hoc and fairly limited process. Websense, for example, is a member of several vetted lists and forums where vendors share information, says Chris Astacio, manager of security research for Websense.

"A certain amount of research and information gets shared [this way]," Astacio says. "These types of supply-chain attacks where security companies are attacked so the [attacker] can then take on a customer of theirs should garner the same amount of research and sharing of research" as malware research does.

Astacio says security vendors should band together in the face of targeted attack campaigns against their industry much like other vertical industries do. Attacks such as that of Bit9 and others demonstrate how advanced persistent threat (APT) actors are trying to get the goods from their ultimate targets via their security suppliers, he says. "They are going to be more brazen and brash," Astacio says.

The time has come for the security vendor community to step up and acknowledge the problem, security experts say. "Just because you're a security company doesn't mean you're immune or have a magic force field anyone can't get through," says Brian Honan of BH Consulting and a member of the Irish CERT. "You need to make sure you can't be used as a point to attack your clients because they trust you to keep them secure ... Bit9 didn't have their own software installed on their computers: That's a glaring issue."

More than likely Bit9 is not the only security company under attack right now, experts say. "If these are motivated attackers, they are not going to stop," Honan says. "They will just move on to the next target and opportunity and see how they can leverage it."

Bit9 didn't share many details of the impact on its three customers who received the signed malware, but the Bit9 digital signature could have allowed that malware to pass as Bit9-whitelisted application.

"So the malware would be recognized and accepted by the client's machine as legitimate, and it would then install malware on those machines," says Honan, who posted a blog today on lessons learned from the breach. "Then it would give the attackers remote access to those machines and some way to control those machines, and use them to maybe attack further."

[Certificate authority Turktrust details internal errors that led to phony digital certificates. See Errant Google Domain Traced To CA's Mistakes.]

Meanwhile, critics say whitelisting comes with its inherent weaknesses, such as keeping white lists "patched," notes John Prisco, president and CEO of Triumfant.

"You have to patch the application and therefore patch the whitelist. If you're not diligent about it, it can be exploited, as in the case of Bit9. Whitelisting is still based on prior knowledge; therefore it is susceptible. A system that is based on prior knowledge can always be exploited by a determined adversary," Prisco says. "Unless you have an anomaly-based analytics system on the endpoint that can see fundamental changes that can signal malware attacks, you will always be beaten."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Apprentice
6/11/2015 | 9:34:00 AM
re: Bit9 Breach Boosts Calls For Attack Intel-Sharing Among Targeted Security Vendors
Whoa, just saw this while researching the Kaspersky Duqu breach! Bit9 didn't protect the machine hosting their digital certificates with their own whitelisting security software? Are we supposed to believe this explanation? Does anyone buy this?
Doug Finley
50%
50%
Doug Finley,
User Rank: Apprentice
2/22/2013 | 4:32:50 PM
re: Bit9 Breach Boosts Calls For Attack Intel-Sharing Among Targeted Security Vendors
John Prisco doesn't know whitelisting. What Bit9 does is a corrupted form of whitelisting. The attacker was permitted to install their malware because they had a valid certificate in spite of the fact that the malware was not authorized to execute on the endpoint it infected. Whitelists don't need certificates.

Deploying a patch means that the whitelist must be updated. There are automated methods for that, including integrated patch management/whitelisting. And no, whitelisting doesn't require prior knowledge, if by that term he means knowledge of the attacking software. Whitelisting's only prior knowledge requirement is to be able to uniquely identify all software authorized and intended to execute on that specific endpoint.

Did Bit9 really fail to even attempt to protect the machine hosting their certificates?- Really?
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/13/2013 | 12:45:58 AM
re: Bit9 Breach Boosts Calls For Attack Intel-Sharing Among Targeted Security Vendors
I think intelligence-sharing among information security companies is a good idea, and should move beyond ad-hoc relationships to something more formal, like in the financial sector. I know it's embarrasing for security companies to admit they've been breached, but the fact is, no one is invulnerable, and simply pretending you are for marketing or image purposes is a mistake.

Drew Conry-Murray
Editor, Network Computing
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15113
PUBLISHED: 2019-08-16
The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.
CVE-2019-15114
PUBLISHED: 2019-08-16
The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.
CVE-2019-15115
PUBLISHED: 2019-08-16
The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.
CVE-2019-15116
PUBLISHED: 2019-08-16
The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.
CVE-2017-18547
PUBLISHED: 2019-08-16
The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms.