Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software.
Waltham, Massachusetts-based Bit9 is a leading provider of “application whitelisting” services, a security technology that turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous.
But earlier today, Bit9 told a source for KrebsOnSecurity that their corporate networks had been breached by a cyberattack. According to the source, Bit9 said they’d received reports that some customers had discovered malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9’s own encryption keys.
That last bit is extremely important, because Bit9 is a default trusted publisher in their software, which runs on customer PCs and networks as an “agent” that tries to intercept and block applications that are not on the approved whitelist. The upshot of the intrusion is that with a whitelist policy applied to a machine, that machine will blindly trust and run anything signed by Bit9.
An hour after being contacted by KrebsOnSecurity, Bit9 published a blog post acknowledging a break-in. The company said attackers managed to compromise some of Bit9’s systems that were not protected by the company’s own software. Once inside, the firm said, attackers were able to steal Bit9’s secret code-signing certificates.
“Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network,” Bit9’s Patrick Morley wrote. “As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised.”
The company said it is still investigating the source of the breach, but said that it appears that at least three of its customers were sent malware that was digitally signed with Bit9’s certificate.
There may be deep irony in this attack: While Bit9 has made a name for itself based on the reality that antivirus software cannot keep up with the tens of thousands of new malware variants being unleashed on the Internet each day [the company brags that Bit9 is the only security firm to stop both the Flame malware and the RSA breach attack, even before they were identified by traditional/legacy antivirus companies], there is a better than even chance that the malware signed with Bit9’s keys was first detected with traditional antivirus products. But only time will tell how the initial discovery really played out.
Jeremiah Grossman, chief technology officer for security testing firm Whitehat Security, said the attackers who broke into Bit9 almost certainly were doing so as a means to an end.
“I guess if you’re a bad guy trying to get malware installed on a computer at a hardened target that is using Bit9, what choice do you have except going through Bit9 first?” Grossman said. “This is not the result of some mass malware blast. This is almost certainly highly targeted.”
Grossman and other experts say the attack on Bit9 is reminiscent of the 2011 intrusion at RSA Security, which was widely viewed as a precursor to attacking upstream targets protected by the company’s products. In that intrusion, the attackers targeted RSA’s proprietary algorithms that protected networks of thousands of companies.
“In that case, the attackers weren’t doing it for gain at RSA as far as anyone’s been able to tell, but there were reported attacks shortly after that against defense contractors that had characteristics of someone exploiting what was probably taken from RSA,” said Eugene Spafford, professor of computer science at Purdue University. “Those defense contractors were the real targets, but they were using a very strong security tool – RSA’s tokens. So, if you’re an attacker and faced with a strong defense, you can try to break straight through, or find ways around that defense. This is more than likely [the product of] very targeted, careful thinking by someone who understands a higher level of security strategy.”
In that sense, Spafford said, the Bit9 and RSA attacks can be thought of as “supply chain” hacks.
“Supply chain doesn’t necessarily mean the sale of finite items, but it’s all along the chain of where things might find their way into your enterprise that can be contaminated, and I suspect we’ll continue to see more of these types of attacks,” Spafford said.
The potential impact of this breach — both within Bit9 customer networks and on the company’s future — is quite broad. According to a recent press release, Bit9’s global customers come from a wide variety of industries, including e-commerce, financial services, government, healthcare, retail, technology and utilities. The company was founded on a U.S. federal research grant from the National Institute of Standards and Technology’s Advanced Technology Program to conduct the research that is now at the core of the company’s solutions.
“One of the things I’ve stressed to security companies I’ve done work for is that everything they do is based on trust in their brand and product, and that getting hacked is a fundamental attack on that trust structure,” Spafford said. “That’s an object lesson, but it may also say something if they aren’t eating their own dog food, so to speak.”
Grossman said the compromise at Bit9 demonstrates both the strengths and weaknesses of relying on an application whitelisting approach.
“It’s also interesting that they went after Bit9’s certs, and not by trying to exploit vulnerabilities in it. Instead of hacking the Bit9 application or network device, they went after Bit9 directly. That says a lot on its own.”