Hacking Victim Bit9 Blames SQL Injection Flaw

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.cio.com/article/729401/Hacking_Victim_Bit9_Blames_SQL_Injection_Flaw

IDG News Service — Bit9 said a common Web application vulnerability
was responsible for allowing hackers to ironically use the security
vendor's systems as a launch pad for attacks on other organizations.

Based in Waltham, Massachusetts, the company sells a security platform
that is designed in part to stop hackers from installing their own
malicious software. In an embarrassing admission, Bit9 said earlier
this month that it neglected to install its own software on a part of
its network, which lead to the compromise.

In a more detailed explanation on its blog on Monday, Bit9 said
attackers gained access by exploiting a SQL injection flaw in one of
its Internet-facing Web servers. A SQL injection flaw can allow a
hacker to enter commands into a web-based form and get the backend
database to respond.

The compromise happened around July 2012, wrote Bit9's CTO Harry
Sverdlove. Once inside Bit9, the hackers accessed a virtual machine
used to digitally sign code for Bit9, a security measure that verifies
the company's code is legitimate.

The compromised server was shut down for about six months, but was
brought back online in January. Bit9 then discovered the problem. "We
took immediate containment and remediation steps, revoked the
certificate in question and reached out to our entire customer base,"
Sverdlove wrote.

The hackers used Bit9's certificate to sign 32 of their own malicious
files and scripts. Sverdlove described some of the malware as
backdoors with the names "HiKit" and "HomeUNIX."

With Bit9's certificate, the malware would look legitimate to other
security software. As its investigation unfolded, Bit9 found that the
hackers planted the malware on other websites, constructing what is
known as a drive-by-download attack.

That attack would exploit users running outdated versions of Oracle's
Java software, which had been found to contain numerous
vulnerabilities in recent months.

"We believe the attackers inserted a malicious Java applet onto those
sites that used a vulnerability in Java to deliver additional
malicious files, including files signed by the compromised
certificate," Sverdlove wrote.

All told, three Bit9 customers were attacked, but Sverdlove did not
reveal their names. More than 1,000 companies use Bit9's software,
including Fortune 500 companies in banking, energy, aerospace and
defense and U.S. federal government agencies.

Sverdlove wrote that the attacks appeared to be designed to
"infiltrate select US organizations in a very narrow market space."
Utilities, banks and government entities were not affected, he wrote.

Once the malware was installed, it communicated with servers on IP
ranges belonging to network providers including New Century InfoComm
Tech Co., Ltd. of Taiwan, the Asia Pacific Network Information Centre
in South Brisbane, Australia, and Sparkstation in Singapore.

Bit9 said its product code was not affected, but it is reviewing its
entire code base. The company also is undergoing a security audit and
"addressed the errors that led to the compromise," Sverdlove wrote.

"While we believe Bit9 is the most effective protection you can have
on your endpoints, I've always said there is no silver bullet to
security," he wrote. "This incident has only fortified what we already
knew...the enemy is persistent, sophisticated and motivated.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.