Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/6/2013
05:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bit9's Delicate Disclosure Dance A Sign Of The Times

Bit9's sharing of some details on the attack that turned its whitelisting technology against some of its customers while trying to keep them safe from further danger represents a new challenge for security firms

Firsthand breach disclosure is gradually becoming a best practice for security firms, which are increasingly being targeted by the attackers that their products are trying to repel.

Bit9 last week provided more details on a recent breach where attackers stole one of its digital code-signing certificates and then used it to sign malware in attacks against three of its customers. The security firm confessed that an "operational oversight" led to the breach, with a virtual system on its network running without the company's own whitelisting software.

The security vendor provided some technical information on the malware involved in the attack as well. Harry Sverdlove, chief technology officer at Bit9, said in a blog post that the initial compromise dated back to July 2012 via a SQL injection attack on one of its Internet-facing Web servers, and the breach was discovered in January of this year.

But not all vendors are as forthcoming with information about their firsthand breaches. It's becoming an issue now as security firms over the past two years have become juicy targets, starting with the breach of RSA Security's SecurID server in March 2011.

Sharing details of the attack is a delicate balance of due diligent disclosure and keeping out information that could further expose its customers. The trick is sharing enough information for other security firms without exposing your customers who were affected or other customers, experts say. "The problem there was that [Bit9] couldn't share most of it [the intelligence] because the bad guys were using most of that to target their customers," says Jaime Blasco, director of AlienVault research labs. "They didn't want to expose their customers."

Blasco says Bit9 did it right by going public with the breach and sharing as much detail as they could safely. There are other security firms that have not come clean, however, he says. "In the last year, three or four security companies were compromised" that are bigger than Bit9 and have not gone public with those breaches, he says.

"Bit9 was fair ... and went public," Blasco says. The bigger firms that have been hit are more worried about how coming out about their breaches will affect their business, he says.

The attackers that hit Bit9 used the SQL injection attack to access an internal virtual machine housing the digital signing certificate, according to Bit9. "That virtual system was only active for a short period of time and was taken offline [shut down] in late July 2012. It remained offline and shut down through December 2012, which is why the intrusion was not detected. The system was brought back online in January 2013, and shortly thereafter the compromise was discovered. We took immediate containment and remediation steps, revoked the certificate in question, and reached out to our entire customer base," Sverdlove blogged.

Bit9's Sverdlove maintains that there's no evidence that the attackers accessed or modified the firm's code or product. "We continue to believe the scope of the attack remained the landing point from the SQL injection attack and the virtual system containing the certificate. The surrounding systems were protected by Bit9 which limited lateral movement for the attackers," Sverdlove said. "It is apparent from the forensic evidence and investigation into the larger campaign that the attackers’ motives were very specific."

He also shared in his post some details on the malware that was used in the attack, including a backdoor akin to the HiKit Trojan and a Java exploit. The attackers hijacked two legitimate user accounts that ultimately got them to the digital certificate. "In the subsequent attacks on the three target organizations, the attackers appeared to have already compromised specific Websites (a watering hole style attack, similar to what was recently reported by Facebook, Apple and Microsoft). We believe the attackers inserted a malicious Java applet onto those sites that used a vulnerability in Java to deliver additional malicious files, including files signed by the compromised certificate," Sverdlove said.

Security vendors are in the bull's eye of targeted attack campaigns these days, mainly because their technology then be used to help hack into their customers' networks.

The bottom line, AlienVault's Blasco says, is that it's easier to break into security firms and steal their technology to turn around and hack defense contractors and other high-profile targets. "If you want to compromise Lockheed Martin, you have to spend a lot of time and money trying to find a gap because they are spending millions" on security, he says.

Some security firms are not investing as heavily in locking down their environments, he says.

[A rare inside look at how defense contractor Lockheed Martin repelled a targeted attack using its homegrown 'Cyber Kill Chain' framework. See How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack.]

Lockheed Martin built a multimillion-dollar framework for stopping targeted attacks that uses multiple layers of security that track an intruder's every move and throw barriers in front of each attempt to siphon data out of its network. That framework, called its Cyber Kill Chain, saved the defense contractor in the wake of the RSA SecurID breach. A few months after the RSA attack, an intruder was spotted inside Lockheed Martin's network sporting legitimate user credentials.

The defense contractor was able to stop the intruder in its tracks and prevent any information from getting stolen.

Targeting security firms for their technology is a pretty efficient way to get to the ultimate targets -- their high-value customers like defense contractors. Although Bit9 wouldn't release any details from which industry the three of its customers who were victimized reside, the security firm did say it wasn't critical infrastructure firms, such as utilities, banking, or energy, nor was it government customers.

"We continue to believe the attack against Bit9 was part of a larger campaign to infiltrate select US organizations in a very narrow market space. Out of respect to those companies, we will not disclose the names or nature of those organizations," Bit9's Sverdlove said in his blog post."We believe the attack was not financially motivated, but rather a campaign to access information. The motivation and intent of the attackers matters because it helps to explain the narrow scope of the compromise. We have performed a thorough assessment against our entire customer base and identified three customers that were impacted. Over the course of our continuing investigation, this number has not changed."

Neal Creighton, chief executive officer at CounterTack, says what's fascinating about the Bit9 and RSA breaches is how one attack on each vendor was then linked to several other organizations in the bull's eye of the attackers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Will This Be the Year of the Branded Cybercriminal?
Raveed Laeb, Product Manager at KELA,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3683
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
CVE-2019-19142
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.
CVE-2019-19801
PUBLISHED: 2020-01-17
In Gallagher Command Centre Server versions of v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an unprivileged but authenticated user is able to perform a backup of the Command Centre databases.