Bit9 hacked, stolen digital certificates to sign malware

Pierluigi Paganini February 10, 2013

The week ended in the worst way for the security company Bit9 that last Friday announced that hackers had stolen digital certificates from its network and have utilized it to sign malicious code.

Bit9 is a popular a company that provides software and network security services to a lot of important private firms and also to the U.S. government.

The practices to sign malware using legitimate certificates isn’t new, in many cases the attackers use this techniques to elude the control of antivirus software.

Bit9 Chief Executive Patrick Morley wrote in a blog post

“Earlier today we informed our customers about a potential security concern. Out of respect for our customers, we chose to contact them first before making a statement in public. We wanted to be certain our customers heard from us and had the opportunity they needed to make any changes before we brought this to a wider audience.

In brief, here is what happened. Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product.  Our investigation also shows that our product was not compromised.”

According the first revelations on the incident the attackers have sent signed malware instances to at least three of Bit9’s customers, but their identities are still a secret as the effect of the attacks that hit them.

The company is investigating on the causes of the data breach to ensure that its customers will not suffer any further repercussion, the decision of the company of public disclose the hack is an assumption of great responsibility.

The company said it is still investigating the source of the breach, but it appears that at least to three of its customers were sent malware that was digitally signed with Bit9′s certificate.

Since we discovered this issue, we have been working closely with all of our customers to ensure they are no longer vulnerable to malware associated with the affected certificate.”

The Bit9 company announced that it has resolved the issue providing a summary of the action taken:

  • We revoked the affected certificate and acquired a new one.
  • We eliminated the operational issue that led to the illegal access to the certificate and ensured Bit9 is installed on all of our physical and virtual machines.
  • While our investigation shows our product was not compromised, we are finalizing a product patch that will automatically detect and stop the execution of any malware that illegitimately uses the certificate.
  • We have been proactively monitoring the Bit9 Software Reputation Service for hashes from the illegitimately signed malware.

It is not the first time that hackers have breached a security firm as part of a sophisticated scheme to access data at one of their customers, let’s remind the data breach at EMC Corp’s RSA Security division disclosed in 2011, neither that a malware author has signed its malware to make it more efficient.

The techniques to sign malware using valid certificate has been recently used with Adobe certificates and going back into the past we cannot forget also the famous case of Stuxnet, the terrible cyber weapon that hit Iranian critical infrastructures.

The usage of PKI code signing certificates for malware is a winner choice, virus uses signed components to install itself in the system avoiding detection systems, the signing lets the host system accept new malicious software because it thinks it comes from a known and trusted vendor.

But digital certificates are also stolen for cyber espionage purposes, cyber criminals and governments could use the stolen certificates to conduct “man-in-the-middle” attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly tampered and intercepted. That is for example what occurred in the DigiNotar case … companies like Facebook, Google and also intelligence agencies such as CIA, MI6 were targeted in Dutch government certificate hack.

Concluding in case of incident like the one occurred to Bit9 the only way to limit serious damages is to immediately inform the victims, the potential targets of the attacks and the public opinion.

Pierluigi Paganini


you might also like

leave a comment