Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/6/2013
05:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bit9's Delicate Disclosure Dance A Sign Of The Times

Bit9's sharing of some details on the attack that turned its whitelisting technology against some of its customers while trying to keep them safe from further danger represents a new challenge for security firms

Firsthand breach disclosure is gradually becoming a best practice for security firms, which are increasingly being targeted by the attackers that their products are trying to repel.

Bit9 last week provided more details on a recent breach where attackers stole one of its digital code-signing certificates and then used it to sign malware in attacks against three of its customers. The security firm confessed that an "operational oversight" led to the breach, with a virtual system on its network running without the company's own whitelisting software.

The security vendor provided some technical information on the malware involved in the attack as well. Harry Sverdlove, chief technology officer at Bit9, said in a blog post that the initial compromise dated back to July 2012 via a SQL injection attack on one of its Internet-facing Web servers, and the breach was discovered in January of this year.

But not all vendors are as forthcoming with information about their firsthand breaches. It's becoming an issue now as security firms over the past two years have become juicy targets, starting with the breach of RSA Security's SecurID server in March 2011.

Sharing details of the attack is a delicate balance of due diligent disclosure and keeping out information that could further expose its customers. The trick is sharing enough information for other security firms without exposing your customers who were affected or other customers, experts say. "The problem there was that [Bit9] couldn't share most of it [the intelligence] because the bad guys were using most of that to target their customers," says Jaime Blasco, director of AlienVault research labs. "They didn't want to expose their customers."

Blasco says Bit9 did it right by going public with the breach and sharing as much detail as they could safely. There are other security firms that have not come clean, however, he says. "In the last year, three or four security companies were compromised" that are bigger than Bit9 and have not gone public with those breaches, he says.

"Bit9 was fair ... and went public," Blasco says. The bigger firms that have been hit are more worried about how coming out about their breaches will affect their business, he says.

The attackers that hit Bit9 used the SQL injection attack to access an internal virtual machine housing the digital signing certificate, according to Bit9. "That virtual system was only active for a short period of time and was taken offline [shut down] in late July 2012. It remained offline and shut down through December 2012, which is why the intrusion was not detected. The system was brought back online in January 2013, and shortly thereafter the compromise was discovered. We took immediate containment and remediation steps, revoked the certificate in question, and reached out to our entire customer base," Sverdlove blogged.

Bit9's Sverdlove maintains that there's no evidence that the attackers accessed or modified the firm's code or product. "We continue to believe the scope of the attack remained the landing point from the SQL injection attack and the virtual system containing the certificate. The surrounding systems were protected by Bit9 which limited lateral movement for the attackers," Sverdlove said. "It is apparent from the forensic evidence and investigation into the larger campaign that the attackers’ motives were very specific."

He also shared in his post some details on the malware that was used in the attack, including a backdoor akin to the HiKit Trojan and a Java exploit. The attackers hijacked two legitimate user accounts that ultimately got them to the digital certificate. "In the subsequent attacks on the three target organizations, the attackers appeared to have already compromised specific Websites (a watering hole style attack, similar to what was recently reported by Facebook, Apple and Microsoft). We believe the attackers inserted a malicious Java applet onto those sites that used a vulnerability in Java to deliver additional malicious files, including files signed by the compromised certificate," Sverdlove said.

Security vendors are in the bull's eye of targeted attack campaigns these days, mainly because their technology then be used to help hack into their customers' networks.

The bottom line, AlienVault's Blasco says, is that it's easier to break into security firms and steal their technology to turn around and hack defense contractors and other high-profile targets. "If you want to compromise Lockheed Martin, you have to spend a lot of time and money trying to find a gap because they are spending millions" on security, he says.

Some security firms are not investing as heavily in locking down their environments, he says.

[A rare inside look at how defense contractor Lockheed Martin repelled a targeted attack using its homegrown 'Cyber Kill Chain' framework. See How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack.]

Lockheed Martin built a multimillion-dollar framework for stopping targeted attacks that uses multiple layers of security that track an intruder's every move and throw barriers in front of each attempt to siphon data out of its network. That framework, called its Cyber Kill Chain, saved the defense contractor in the wake of the RSA SecurID breach. A few months after the RSA attack, an intruder was spotted inside Lockheed Martin's network sporting legitimate user credentials.

The defense contractor was able to stop the intruder in its tracks and prevent any information from getting stolen.

Targeting security firms for their technology is a pretty efficient way to get to the ultimate targets -- their high-value customers like defense contractors. Although Bit9 wouldn't release any details from which industry the three of its customers who were victimized reside, the security firm did say it wasn't critical infrastructure firms, such as utilities, banking, or energy, nor was it government customers.

"We continue to believe the attack against Bit9 was part of a larger campaign to infiltrate select US organizations in a very narrow market space. Out of respect to those companies, we will not disclose the names or nature of those organizations," Bit9's Sverdlove said in his blog post."We believe the attack was not financially motivated, but rather a campaign to access information. The motivation and intent of the attackers matters because it helps to explain the narrow scope of the compromise. We have performed a thorough assessment against our entire customer base and identified three customers that were impacted. Over the course of our continuing investigation, this number has not changed."

Neal Creighton, chief executive officer at CounterTack, says what's fascinating about the Bit9 and RSA breaches is how one attack on each vendor was then linked to several other organizations in the bull's eye of the attackers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19702
PUBLISHED: 2019-12-10
The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML do...
CVE-2019-19703
PUBLISHED: 2019-12-10
In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location.
CVE-2012-1577
PUBLISHED: 2019-12-10
lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with 0.
CVE-2012-5620
PUBLISHED: 2019-12-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2013-1689
PUBLISHED: 2019-12-10
Mozilla Firefox 20.0a1 and earlier allows remote attackers to cause a denial of service (crash), related to event handling with frames.