Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:35 PM
Connect Directly

Bit9's Delicate Disclosure Dance A Sign Of The Times

Bit9's sharing of some details on the attack that turned its whitelisting technology against some of its customers while trying to keep them safe from further danger represents a new challenge for security firms

Firsthand breach disclosure is gradually becoming a best practice for security firms, which are increasingly being targeted by the attackers that their products are trying to repel.

Bit9 last week provided more details on a recent breach where attackers stole one of its digital code-signing certificates and then used it to sign malware in attacks against three of its customers. The security firm confessed that an "operational oversight" led to the breach, with a virtual system on its network running without the company's own whitelisting software.

The security vendor provided some technical information on the malware involved in the attack as well. Harry Sverdlove, chief technology officer at Bit9, said in a blog post that the initial compromise dated back to July 2012 via a SQL injection attack on one of its Internet-facing Web servers, and the breach was discovered in January of this year.

But not all vendors are as forthcoming with information about their firsthand breaches. It's becoming an issue now as security firms over the past two years have become juicy targets, starting with the breach of RSA Security's SecurID server in March 2011.

Sharing details of the attack is a delicate balance of due diligent disclosure and keeping out information that could further expose its customers. The trick is sharing enough information for other security firms without exposing your customers who were affected or other customers, experts say. "The problem there was that [Bit9] couldn't share most of it [the intelligence] because the bad guys were using most of that to target their customers," says Jaime Blasco, director of AlienVault research labs. "They didn't want to expose their customers."

Blasco says Bit9 did it right by going public with the breach and sharing as much detail as they could safely. There are other security firms that have not come clean, however, he says. "In the last year, three or four security companies were compromised" that are bigger than Bit9 and have not gone public with those breaches, he says.

"Bit9 was fair ... and went public," Blasco says. The bigger firms that have been hit are more worried about how coming out about their breaches will affect their business, he says.

The attackers that hit Bit9 used the SQL injection attack to access an internal virtual machine housing the digital signing certificate, according to Bit9. "That virtual system was only active for a short period of time and was taken offline [shut down] in late July 2012. It remained offline and shut down through December 2012, which is why the intrusion was not detected. The system was brought back online in January 2013, and shortly thereafter the compromise was discovered. We took immediate containment and remediation steps, revoked the certificate in question, and reached out to our entire customer base," Sverdlove blogged.

Bit9's Sverdlove maintains that there's no evidence that the attackers accessed or modified the firm's code or product. "We continue to believe the scope of the attack remained the landing point from the SQL injection attack and the virtual system containing the certificate. The surrounding systems were protected by Bit9 which limited lateral movement for the attackers," Sverdlove said. "It is apparent from the forensic evidence and investigation into the larger campaign that the attackers’ motives were very specific."

He also shared in his post some details on the malware that was used in the attack, including a backdoor akin to the HiKit Trojan and a Java exploit. The attackers hijacked two legitimate user accounts that ultimately got them to the digital certificate. "In the subsequent attacks on the three target organizations, the attackers appeared to have already compromised specific Websites (a watering hole style attack, similar to what was recently reported by Facebook, Apple and Microsoft). We believe the attackers inserted a malicious Java applet onto those sites that used a vulnerability in Java to deliver additional malicious files, including files signed by the compromised certificate," Sverdlove said.

Security vendors are in the bull's eye of targeted attack campaigns these days, mainly because their technology then be used to help hack into their customers' networks.

The bottom line, AlienVault's Blasco says, is that it's easier to break into security firms and steal their technology to turn around and hack defense contractors and other high-profile targets. "If you want to compromise Lockheed Martin, you have to spend a lot of time and money trying to find a gap because they are spending millions" on security, he says.

Some security firms are not investing as heavily in locking down their environments, he says.

[A rare inside look at how defense contractor Lockheed Martin repelled a targeted attack using its homegrown 'Cyber Kill Chain' framework. See How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack.]

Lockheed Martin built a multimillion-dollar framework for stopping targeted attacks that uses multiple layers of security that track an intruder's every move and throw barriers in front of each attempt to siphon data out of its network. That framework, called its Cyber Kill Chain, saved the defense contractor in the wake of the RSA SecurID breach. A few months after the RSA attack, an intruder was spotted inside Lockheed Martin's network sporting legitimate user credentials.

The defense contractor was able to stop the intruder in its tracks and prevent any information from getting stolen.

Targeting security firms for their technology is a pretty efficient way to get to the ultimate targets -- their high-value customers like defense contractors. Although Bit9 wouldn't release any details from which industry the three of its customers who were victimized reside, the security firm did say it wasn't critical infrastructure firms, such as utilities, banking, or energy, nor was it government customers.

"We continue to believe the attack against Bit9 was part of a larger campaign to infiltrate select US organizations in a very narrow market space. Out of respect to those companies, we will not disclose the names or nature of those organizations," Bit9's Sverdlove said in his blog post."We believe the attack was not financially motivated, but rather a campaign to access information. The motivation and intent of the attackers matters because it helps to explain the narrow scope of the compromise. We have performed a thorough assessment against our entire customer base and identified three customers that were impacted. Over the course of our continuing investigation, this number has not changed."

Neal Creighton, chief executive officer at CounterTack, says what's fascinating about the Bit9 and RSA breaches is how one attack on each vendor was then linked to several other organizations in the bull's eye of the attackers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...