Hackers accessed Bit9’s code-signing certificates, enabling intruders to digitally sign malware to appear as legitimate files, the vendor announced Friday. Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software.
Massachusetts-based Bit9 is a leading provider of “application whitelisting” services, a security technology that turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous.
But earlier today, Bit9 told a source for KrebsOnSecurity that their corporate networks had been breached by a cyberattack. Ironically, the breached Bit9 system was not protected with the company’s own software. This attack bears similarities to the 2011 attack on RSA, in which attackers stole information that was likely used to conduct attacks on other organizations. According to the source, Bit9 said that some customers had discovered malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9′s own encryption keys. According to a blog post Friday from Bit9 CEO Patrick Morley, miscreants were able to turn Bit9’s secret sauce against them by getting a hold of the vendor’s digital signatures and then delivering malware to a handful of customers that appeared to be on their trusted list of software.
It’s unclear how the intruders initially gained access to Bit9 systems.
“We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9,” Morley wrote.