Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:35 PM
Connect Directly

Bit9's Delicate Disclosure Dance A Sign Of The Times

Bit9's sharing of some details on the attack that turned its whitelisting technology against some of its customers while trying to keep them safe from further danger represents a new challenge for security firms

Firsthand breach disclosure is gradually becoming a best practice for security firms, which are increasingly being targeted by the attackers that their products are trying to repel.

Bit9 last week provided more details on a recent breach where attackers stole one of its digital code-signing certificates and then used it to sign malware in attacks against three of its customers. The security firm confessed that an "operational oversight" led to the breach, with a virtual system on its network running without the company's own whitelisting software.

The security vendor provided some technical information on the malware involved in the attack as well. Harry Sverdlove, chief technology officer at Bit9, said in a blog post that the initial compromise dated back to July 2012 via a SQL injection attack on one of its Internet-facing Web servers, and the breach was discovered in January of this year.

But not all vendors are as forthcoming with information about their firsthand breaches. It's becoming an issue now as security firms over the past two years have become juicy targets, starting with the breach of RSA Security's SecurID server in March 2011.

Sharing details of the attack is a delicate balance of due diligent disclosure and keeping out information that could further expose its customers. The trick is sharing enough information for other security firms without exposing your customers who were affected or other customers, experts say. "The problem there was that [Bit9] couldn't share most of it [the intelligence] because the bad guys were using most of that to target their customers," says Jaime Blasco, director of AlienVault research labs. "They didn't want to expose their customers."

Blasco says Bit9 did it right by going public with the breach and sharing as much detail as they could safely. There are other security firms that have not come clean, however, he says. "In the last year, three or four security companies were compromised" that are bigger than Bit9 and have not gone public with those breaches, he says.

"Bit9 was fair ... and went public," Blasco says. The bigger firms that have been hit are more worried about how coming out about their breaches will affect their business, he says.

The attackers that hit Bit9 used the SQL injection attack to access an internal virtual machine housing the digital signing certificate, according to Bit9. "That virtual system was only active for a short period of time and was taken offline [shut down] in late July 2012. It remained offline and shut down through December 2012, which is why the intrusion was not detected. The system was brought back online in January 2013, and shortly thereafter the compromise was discovered. We took immediate containment and remediation steps, revoked the certificate in question, and reached out to our entire customer base," Sverdlove blogged.

Bit9's Sverdlove maintains that there's no evidence that the attackers accessed or modified the firm's code or product. "We continue to believe the scope of the attack remained the landing point from the SQL injection attack and the virtual system containing the certificate. The surrounding systems were protected by Bit9 which limited lateral movement for the attackers," Sverdlove said. "It is apparent from the forensic evidence and investigation into the larger campaign that the attackers’ motives were very specific."

He also shared in his post some details on the malware that was used in the attack, including a backdoor akin to the HiKit Trojan and a Java exploit. The attackers hijacked two legitimate user accounts that ultimately got them to the digital certificate. "In the subsequent attacks on the three target organizations, the attackers appeared to have already compromised specific Websites (a watering hole style attack, similar to what was recently reported by Facebook, Apple and Microsoft). We believe the attackers inserted a malicious Java applet onto those sites that used a vulnerability in Java to deliver additional malicious files, including files signed by the compromised certificate," Sverdlove said.

Security vendors are in the bull's eye of targeted attack campaigns these days, mainly because their technology then be used to help hack into their customers' networks.

The bottom line, AlienVault's Blasco says, is that it's easier to break into security firms and steal their technology to turn around and hack defense contractors and other high-profile targets. "If you want to compromise Lockheed Martin, you have to spend a lot of time and money trying to find a gap because they are spending millions" on security, he says.

Some security firms are not investing as heavily in locking down their environments, he says.

[A rare inside look at how defense contractor Lockheed Martin repelled a targeted attack using its homegrown 'Cyber Kill Chain' framework. See How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack.]

Lockheed Martin built a multimillion-dollar framework for stopping targeted attacks that uses multiple layers of security that track an intruder's every move and throw barriers in front of each attempt to siphon data out of its network. That framework, called its Cyber Kill Chain, saved the defense contractor in the wake of the RSA SecurID breach. A few months after the RSA attack, an intruder was spotted inside Lockheed Martin's network sporting legitimate user credentials.

The defense contractor was able to stop the intruder in its tracks and prevent any information from getting stolen.

Targeting security firms for their technology is a pretty efficient way to get to the ultimate targets -- their high-value customers like defense contractors. Although Bit9 wouldn't release any details from which industry the three of its customers who were victimized reside, the security firm did say it wasn't critical infrastructure firms, such as utilities, banking, or energy, nor was it government customers.

"We continue to believe the attack against Bit9 was part of a larger campaign to infiltrate select US organizations in a very narrow market space. Out of respect to those companies, we will not disclose the names or nature of those organizations," Bit9's Sverdlove said in his blog post."We believe the attack was not financially motivated, but rather a campaign to access information. The motivation and intent of the attackers matters because it helps to explain the narrow scope of the compromise. We have performed a thorough assessment against our entire customer base and identified three customers that were impacted. Over the course of our continuing investigation, this number has not changed."

Neal Creighton, chief executive officer at CounterTack, says what's fascinating about the Bit9 and RSA breaches is how one attack on each vendor was then linked to several other organizations in the bull's eye of the attackers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key va...
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to...
PUBLISHED: 2021-02-26
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.
PUBLISHED: 2021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default beh...
PUBLISHED: 2021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via th...