Bit9 disclosed Friday that hackers had stolen digital code-signing certificates from its network and dropped malware in the systems of three customers, demonstrating how the weakest link in a security chain can sometime be the security vendor.
Bit9 sells technology that prevents any application that is not on a whitelist of approved software from being installed on a customer's computer system. The hackers apparently decided to get around this normally effective mechanism by going after the vendor itself.
The criminals took advantage of an "operational oversight" in which the vendor had failed to install its own product on a handful of computers within its network. "As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware," Bit9 Chief Executive Patrick Morley said in a blog post.
Bit9 said it found no weaknesses in its product, which it said was not compromised. Nevertheless, with the certificate in hand, the criminals were able to sign their malware and install it at three Bit9 customers, the vendor said. Bit9 did not identify the customers.
More than 1,000 organizations worldwide use Bit9 technology, including banks, retailers, energy and defense companies and federal agencies. More than two-dozen of its customers are Fortune 500 companies.
Bit9, which declined comment, did not say how the hackers penetrated its networks. However, the company took responsibility for the security breach. "We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9," Morley said.
The company took a number of steps to close the vulnerability. First, it revoked the stolen certificate and acquired a new one. It also installed its product on all its systems and is monitoring its whitelisting service for hashes from the illegitimately signed malware.
Jeremiah Grossman, founder and chief technology officer for website security company WhiteHat Security, said the hackers most likely tried and failed to penetrate the networks of Bit9 customers before turning their attention to the vendor itself.
"The weakest point in the chain is not their product. It's Bit9 the company," Grossman said. "That actually syncs up with what we see in the SSL certificate authority world. Bad guys have difficulty breaking SSL certificates on their own, so they go and target the certificate authority directly."
Stolen code-signing certificates has been used many times in malware before. The infamous Stuxnet malware discovered in 2010 used fraudulent certificates in gaining access to Iranian nuclear facilities. Last year, security companies identified multiple malware threats that used stolen certificates to bypass Windows defenses.
Peter Firstbrook, analyst for Gartner, said Bit9 technology could be used to block malware that contain the certificates. "It is just more time consuming," he said in an email.
Nevertheless, the theft highlights why organizations that need very high security should not trust certificates by themselves. "They have to verify the source of the code and identify it with a hash," Firstbrook said.