Bit9's Delicate Disclosure Dance A Sign Of The Times
Bit9's sharing of some details on the attack that turned its whitelisting technology against some of its customers while trying to keep them safe from further danger represents a new challenge for security firms
March 6, 2013
Firsthand breach disclosure is gradually becoming a best practice for security firms, which are increasingly being targeted by the attackers that their products are trying to repel.
Bit9 last week provided more details on a recent breach where attackers stole one of its digital code-signing certificates and then used it to sign malware in attacks against three of its customers. The security firm confessed that an "operational oversight" led to the breach, with a virtual system on its network running without the company's own whitelisting software.
The security vendor provided some technical information on the malware involved in the attack as well. Harry Sverdlove, chief technology officer at Bit9, said in a blog post that the initial compromise dated back to July 2012 via a SQL injection attack on one of its Internet-facing Web servers, and the breach was discovered in January of this year.
But not all vendors are as forthcoming with information about their firsthand breaches. It's becoming an issue now as security firms over the past two years have become juicy targets, starting with the breach of RSA Security's SecurID server in March 2011.
Sharing details of the attack is a delicate balance of due diligent disclosure and keeping out information that could further expose its customers. The trick is sharing enough information for other security firms without exposing your customers who were affected or other customers, experts say. "The problem there was that [Bit9] couldn't share most of it [the intelligence] because the bad guys were using most of that to target their customers," says Jaime Blasco, director of AlienVault research labs. "They didn't want to expose their customers."
Blasco says Bit9 did it right by going public with the breach and sharing as much detail as they could safely. There are other security firms that have not come clean, however, he says. "In the last year, three or four security companies were compromised" that are bigger than Bit9 and have not gone public with those breaches, he says.
"Bit9 was fair ... and went public," Blasco says. The bigger firms that have been hit are more worried about how coming out about their breaches will affect their business, he says.
The attackers that hit Bit9 used the SQL injection attack to access an internal virtual machine housing the digital signing certificate, according to Bit9. "That virtual system was only active for a short period of time and was taken offline [shut down] in late July 2012. It remained offline and shut down through December 2012, which is why the intrusion was not detected. The system was brought back online in January 2013, and shortly thereafter the compromise was discovered. We took immediate containment and remediation steps, revoked the certificate in question, and reached out to our entire customer base," Sverdlove blogged.
Bit9's Sverdlove maintains that there's no evidence that the attackers accessed or modified the firm's code or product. "We continue to believe the scope of the attack remained the landing point from the SQL injection attack and the virtual system containing the certificate. The surrounding systems were protected by Bit9 which limited lateral movement for the attackers," Sverdlove said. "It is apparent from the forensic evidence and investigation into the larger campaign that the attackers’ motives were very specific."
He also shared in his post some details on the malware that was used in the attack, including a backdoor akin to the HiKit Trojan and a Java exploit. The attackers hijacked two legitimate user accounts that ultimately got them to the digital certificate. "In the subsequent attacks on the three target organizations, the attackers appeared to have already compromised specific Websites (a watering hole style attack, similar to what was recently reported by Facebook, Apple and Microsoft). We believe the attackers inserted a malicious Java applet onto those sites that used a vulnerability in Java to deliver additional malicious files, including files signed by the compromised certificate," Sverdlove said.
Security vendors are in the bull's eye of targeted attack campaigns these days, mainly because their technology then be used to help hack into their customers' networks.
The bottom line, AlienVault's Blasco says, is that it's easier to break into security firms and steal their technology to turn around and hack defense contractors and other high-profile targets. "If you want to compromise Lockheed Martin, you have to spend a lot of time and money trying to find a gap because they are spending millions" on security, he says.
Some security firms are not investing as heavily in locking down their environments, he says.
[A rare inside look at how defense contractor Lockheed Martin repelled a targeted attack using its homegrown 'Cyber Kill Chain' framework. See How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack.]
Lockheed Martin built a multimillion-dollar framework for stopping targeted attacks that uses multiple layers of security that track an intruder's every move and throw barriers in front of each attempt to siphon data out of its network. That framework, called its Cyber Kill Chain, saved the defense contractor in the wake of the RSA SecurID breach. A few months after the RSA attack, an intruder was spotted inside Lockheed Martin's network sporting legitimate user credentials.
The defense contractor was able to stop the intruder in its tracks and prevent any information from getting stolen.
Targeting security firms for their technology is a pretty efficient way to get to the ultimate targets -- their high-value customers like defense contractors. Although Bit9 wouldn't release any details from which industry the three of its customers who were victimized reside, the security firm did say it wasn't critical infrastructure firms, such as utilities, banking, or energy, nor was it government customers.
"We continue to believe the attack against Bit9 was part of a larger campaign to infiltrate select US organizations in a very narrow market space. Out of respect to those companies, we will not disclose the names or nature of those organizations," Bit9's Sverdlove said in his blog post."We believe the attack was not financially motivated, but rather a campaign to access information. The motivation and intent of the attackers matters because it helps to explain the narrow scope of the compromise. We have performed a thorough assessment against our entire customer base and identified three customers that were impacted. Over the course of our continuing investigation, this number has not changed."
Neal Creighton, chief executive officer at CounterTack, says what's fascinating about the Bit9 and RSA breaches is how one attack on each vendor was then linked to several other organizations in the bull's eye of the attackers.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like