Metasploit

Security Firm Bit9 Hacked, Used to Spread Malware

Security Firm Bit9 Hacked, Used to Spread Malware: Bit9 told a source for KrebsOnSecurity that their corporate networks had been breached by a cyberattack. According to the source, Bit9 said they’d received reports that some customers had discovered malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9′s own encryption keys.

That last bit is extremely important, because Bit9 is a default trusted publisher in their software, which runs on customer PCs and networks as an “agent” that tries to intercept and block applications that are not on the approved whitelist. The upshot of the intrusion is that with a whitelist policy applied to a machine, that machine will blindly trust and run anything signed by Bit9.

An hour after being contacted by KrebsOnSecurity, Bit9 published a blog post acknowledging a break-in. The company said attackers managed to compromise some of Bit9′s systems that were not protected by the company’s own software. Once inside, the firm said, attackers were able to steal Bit9′s secret code-signing certificates.

“Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network,” Bit9′s Patrick Morley wrote. “As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product.  Our investigation also shows that our product was not compromised.”

The company said it is still investigating the source of the breach, but said that it appears that at least three of its customers were sent malware that was digitally signed with Bit9′s certificate.

There may be deep irony in this attack: While Bit9 has made a name for itself based on the reality that antivirus software cannot keep up with the tens of thousands of new malware variants being unleashed on the Internet each day [the company brags that Bit9 is the only security firm to stop both the Flame malware and the RSA breach attack, even before they were identified by traditional/legacy antivirus companies], there is a better than even chance that the malware signed with Bit9′s keys was first detected with traditional antivirus products. But only time will tell how the initial discovery really played out.