Security company Bit9 hacked
Unknown perpetrators have penetrated security company Bit9's network and gained access to one of the company's code-signing certificates. They then used the certificate to sign malware, which was distributed to the company's customers. According to Bit9, the hackers were able to mount the attack because the company had failed to install its own security product on some computers on the company network.
Bit9 provides protection for company networks by turning the principle of conventional anti-virus software on its head – rather than using a blacklist to block execution of known malicious code, it uses a whitelist to restrict execution to previously tested applications. Trust in the supplier is a fundamental component of their protection concept, since the supplier decides which programs are added to the whitelist.
Some customers may now be questioning that trust, given that hackers were able to access the Bit9 network and steal a code-signing certificate. The certificate was used to sign malware which has now been discovered at three Bit9 customers. As the security company explains in its blog posting, it had failed to install its own security software on a "handful of computers" on the company network, enabling the unknown hackers to penetrate the network and access the certificate.
It seems reasonable to assume that hacking Bit9 was merely a means to an end. The ultimate goal seems to have been to carry out targeted attacks on a company using Bit9 software to protect its systems. The readiness of criminals to overcome major obstacles was amply demonstrated two years ago in the course of a hack at defence contractor Lockheed Martin. In preparation for the attack on Lockheed, the hackers initially hacked RSA in order to steal confidential information on SecurID tokens used by Lockheed Martin. This information was then used for the actual attack.
Bit9 is hard at work to limit the damage. The company has revoked the affected certificate and released a patch for its security software to prevent execution of the illegally signed code.