Bit9 Hacked: Stolen Digital Keys Used to Sign Malware

In the latest attack targeting a security firm, online intruders compromised systems at software-reputation firm Bit9, stealing the digital certificates used to sign its own software.

Unknown attackers compromised systems at security provider Bit9, stealing a critical digital certificate that allowed the intruders to infect systems of the company's customers, the firm said in statements posted over the weekend.

Bit9 gave scant details about the intrusion, stating that due to its own error "a handful of computers within our network" were left unprotected. The company notified its customers of the breach the morning of Feb. 8, and at least one firm leaked the notice to the media.

"Our investigation indicates that only three customers were affected by the illegitimately signed malware; we are continuing to monitor the situation," the company said in the statement. "Since we discovered this issue, we have been working closely with all of our customers to ensure they are no longer vulnerable to malware associated with the affected certificate."

On Feb. 9, the company posted some more details to its site, including that it had shared the cryptographic hashes of the malicious files with its customers.

The attack on Bit9, which provides security based on extensive lists of "good" and "bad" software, is the latest compromise of a company whose products underpin the digital protections at major firms worldwide. In March 2011, systems at digital-authentication provider RSA were compromised and a database containing the seeds for its one-time password tokens stolen.

The same month, online certification authority Comodo was successfully tricked into issuing digital certificates for major domains—such as Google and Microsoft--to a fraudster. In September 2011, Google warned its users that a breach at DigiNotar had allowed attacks on its Iranian users. Both companies blamed hackers working for other nations as the source of the attacks.

Attackers are focusing on security providers as a way to better leverage attacks against their true target: Sensitive government agencies and private-sector firms, said Scott Crawford, managing research director at industry-analyst firm Enterprise Management Associates.

"The security industry itself has been under attack," he said. "I think they need to stop and take a serious look at how well prepared they are to defend their own systems."

Bit9 counts among its customers the Defense Information Systems Agency (DISA), the Centers for Disease Control and Prevention, the General Services Administration, the Department of Justice, the Department of Commerce and other federal agencies, according to research conducted by government IT publication NextGov.

When contacted by email, Bit9 refused to comment further on the attack, pointing this reporter to its online statements.

As part of its response to the attack, however, the company revoked the digital certificate and closed the security holes in its network. The company is also working on developing a patch for its products to foil future attacks signed with its keys and continue monitoring its service for additional malicious files.

"We will share more intelligence at the right time—network information, tactics, files and hopefully more," the company stated. "The investigation is ongoing. We’re not going to share details that will compromise our customers or violate confidentiality, nor are we going to share details that will compromise our own security."