The Bit9 incident
We see in the news another example of cyber criminals successfully stealing a private certificate and using it to their nefarious advantage. In this instance, cyber criminals allegedly exploited perimeter defences and web application security to gain access to one of Bit9’s private certificates – https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/.
A private certificate is used to sign an encryption key, to ensure the end user knows they are dealing with an encryption key that was actually generated by the entity itself, and not some arbitrary organisation in between. It can also be used to sign anything else, from a PDF document through to an email, to prove the owner’s identity. Think of the traditional written signature and you’ve pretty much the equivalent of a digital certificate in the paper world.
Thus a private certificate should be kept VERY secure, and access limited to perhaps 2 or 3 people within an organisation. Ideally it should take these 2 or 3 people working in conjunction to access or use the certificate (we call this dual-control in the industry).
Full details of the hack are not yet available, but it appears that cyber criminals managed to get through web defences and pull out a private certificate. Bit9 are understood to have confirmed they fell victim to a SQL Injection attack last summer, which led to the compromise. Whether the private key was stored on a stable in a SQL database or pulled out by manipulating the application, we don’t know.
You might not know what Bit9 do, but they make a white-listing product and use this private key to sign signatures that correspond to trusted files. So what the cyber criminals did was use the certificate to sign malicious pieces of code. That put anyone that used Bit9 software at risk of recognising malware as known, good, trusted software and allowing users to execute it. Looking at their website they have a large government / defense customer base – https://www.bit9.com/customers/ and I would guess that those were the intended targets.
The compromised private certificate was use to sign malware in July 2012 and Bit9 only learned of the issue in January 2013. The private certificate in question has now been revoked and the issue fixed.
This is yet another attempt to defeat a layered security approach and go for the security controls themselves. The well documented RSA breach may have been used to defeat two factor authentication, and this attack used to defeat anti-malware controls. We can see how such an attack might be orchestrated – a “media.exe” file, signed by the Bit9 certificate, is emailed to an employee of a Bit9 customer.
The employee, perhaps thinking that Bit9 won’t let them open any unauthorised files, then opens the file and executes the malware. If the desktop has an internet connection, a remote access session is established with a command and control centre and cyber criminals have full access to the affected machine.
There would be little a target could do about this. If white listing controls are defeated, then there goes your last line of defence, as no other security control could prevent custom malware from being executed and cyber criminals can just bide their time, investigate disabling other security layers and strive to find a way in. A well configured proxy server might block the remote access tunnel, SIEM might detect unusual activity if correctly tuned, but only through collecting the big data and effectively monitoring it for suspicious activity would a target ever discover something malicious going on.
That leads us to the next ISSA-UK event being held in London on March 28th, which appropriately will be themed around Big Data and what we as security professionals should be advising our clients to combat emerging threats from Cyber Criminals. Please register here – http://bigdata28thmarch.eventbrite.com and we look forward to seeing you.