Bit9 Hack Started Last Summer

Wednesday, February 27, 2013 @ 03:02 PM gHale

The genesis of the attack against Bit9 started last July when the end result was one of its code-signing certificates ended up compromised.

The attackers first breached the company’s systems in July 2012, said Bit9 Chief Technology Officer Harry Sverdlove. Most likely, they leveraged an SQL Injection vulnerability that plagued its public website at the time.

Bit9 Hack Part of Targeted Attack
Security Firm Hacked
New Attacks from ‘Gameover’ Gang
Changeup Worm Growing

The virtual machine accessed by the cybercriminals shut down in late July 2012 and remained offline until December, which is why the security firm was not able to detect the intrusion until January 2013, when the system came back online.

Once they gained access to the code-signing certificate, the attackers used it to sign a total of 32 files, including variants of the HomeUNIX and HiKit backdoors. HiKit is the backdoor application dropped on Bit9’s systems in July.

Sverdlove said the attack against the company is most likely part of a larger campaign aimed at U.S. organizations. However, he said the attacks didn’t appear to target critical infrastructure companies.

“Out of respect to those companies, we will not disclose the names or nature of those organizations, but we can say that this attack was not against critical infrastructure companies (e.g. utilities, banking, energy), nor was it against government entities,” Sverdlove said.

“We believe the attack was not financially motivated, but rather a campaign to access information. The motivation and intent of the attackers matters because it helps to explain the narrow scope of the compromise.”

“We believe the attackers inserted a malicious Java applet onto those sites that used a vulnerability in Java to deliver additional malicious files, including files signed by the compromised certificate,” Sverdlove said.

Leave a Reply

You must be logged in to post a comment.