The Bit9 Hack
“The Bit9 Trust-based Security Platform continuously monitors and records all activity on servers and endpoints to detect and stop cyber threats that evade traditional security defenses. A cloud-based software reputation service combined with policy-driven application control and whitelisting provide the most reliable form of security in a model that can be rapidly implemented with less maintenance than traditional tools.” Well, this gives Bit9 a good reason to be hacked! Bit9 helps clients distinguish known “safe” files from computer viruses and other malicious software; so what if Bit9 can pass a malicious file as safe?!! And thats exactly what the hackers could do.
On 8th Feb 2013, Bit9 informed their customers about a potential security concern. The company said that attackers managed to compromise some of Bit9’s systems that were not protected by the company’s own software. Once inside attackers were able to steal Bit9’s secret code-signing certificates. Bit9 said they’d received reports that some customers had discovered malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9’s own encryption keys. Bit9 is a default trusted publisher in their software, which runs on customer PCs and networks as an “agent” that tries to intercept and block applications that are not on the approved whitelist. With a whitelist policy applied to a machine, that machine will trust and run anything signed by Bit9.
As per Bit9 blog
“In brief, here is what happened. Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised. We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9.”
And the reason for hack;
“We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9.”
This was a highly targeted attack, where the hacker could get in and sign the malicious code with Bit9’s certificated, making it a trusted application!