Malware Found Matches Code Used Vs. Defense Contractors in 2012

Cyber espionage hackers who broke into security firm Bit9 initially breached the company’s defenses in July 2012, according to evidence being gathered by security experts investigating the incident. Bit9 remains reluctant to name customers that were impacted by the intrusion, but the custom-made malicious software used in the attack was deployed last year in highly targeted attacks against U.S. Defense contractors.

Earlier this month, KrebsOnSecurity broke the story of the breach at Waltham, Mass.-based Bit9, which involved the theft of one of the firm’s private digital certificates. That certificate was used to sign malicious software, or “malware” that was then sent to three of the company’s customers. Unlike antivirus software, which tries to identify and block known malicious files, Bit9’s approach helps organizations block files that aren’t already digitally signed by the company’s own certificates.

After publishing a couple of blog posts about the incident, Bit9 shared with several antivirus vendors the “hashes” or unique fingerprints of some 33 files that hackers had signed with the stolen certificate. KrebsOnSecurity obtained a list of these hashes, and was able to locate two malicious files that matched those hashes using Virustotal.com — a searchable service and database that lets users submit suspicious files for simultaneous scanning by dozens of antivirus tools.

The first match turned up a file called “media.exe,” which according to Virustotal was compiled and then signed using Bit9’s certificate on July 13, 2012. The other result was a Microsoft driver file for an SQL database server, which was compiled and signed by Bit9’s cert on July 25, 2012.

Asked about these findings, Bit9 confirmed that the breach appears to have started last summer with the compromise of an Internet-facing Web server, via an SQL injection attack. Such attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server.

In an exclusive interview with KrebsOnSecurity, Bit9 said it first learned of the breach on Jan. 29, 2013, when it was alerted by a third party which was not a customer of Bit9. The company believes that the trouble began last July, when an employee started up a virtual machine that was equipped with an older Bit9 signing certificate which hadn’t been actively used to sign files since January 2012.

Harry Sverdlove, Bit9’s chief technology officer, said the company plans to share more details about its investigation into the intrusion in a post to be published Thursday on Bit9’s blog. For instance, he said, the control server used to coordinate the activities of the malware sent by the attackers traced back to a server in Taiwan.

Sverdlove said Bit9 will not reveal the identities of the customers that were apparently the true target of the breach; he would only characterize them as “three non-critical infrastructure entities.” Sverdlove said although it is clear now that Bit9 was hacked as a jumping-off point from which to launch more stealthily attacks against a handful of its customers, that reality hardly softens the blow.

“Although it doesn’t make us feel any better, this wasn’t a campaign against us, it was a campaign using us,” Sverdlove said. “We don’t take any solace in this, but the good news is they came after us because they weren’t able to come after our customers directly.”

It’s not clear why the attackers waited so long to use the stolen certs, but in any case Bit9 says the unauthorized virtual machine remained offline from August through December, and was only turned on again in early January 2013.

Continue reading →