Bit9 has published some more details regarding the recent security incident in which one of its code-signing certificates was compromised.
According to Bit9 Chief Technology Officer Harry Sverdlove, the attackers first breached the company’s systems in July 2012. Most likely, they leveraged an SQL Injection vulnerability that plagued its public website at the time.
The virtual machine accessed by the cybercriminals was shut down in late July 2012 and remained offline until December, which is why the security firm was not able to detect the intrusion until January 2013, when the system was brought back online.
Once they gained access to the code-signing certificate, the attackers used it to sign a total of 32 files, including variants of the HomeUNIX and HiKit backdoors. It’s worth noting that HiKit is the backdoor application dropped on Bit9’s systems in July 2012.
Sverdlove has revealed that the attack against the company is most likely part of a larger campaign aimed at US organizations. However, the CTO explained that the attacks didn’t appear to target critical infrastructure companies.
“Out of respect to those companies, we will not disclose the names or nature of those organizations, but we can say that this attack was not against critical infrastructure companies (e.g. utilities, banking, energy), nor was it against government entities,” Sverdlove said.
“We believe the attack was not financially motivated, but rather a campaign to access information. The motivation and intent of the attackers matters because it helps to explain the narrow scope of the compromise.”
The company points out that the attacks against their three customers were similar to the ones that affected Facebook, Microsoft and Apple. However, Bit9 didn’t specifically say that there was a connection between the incidents.
“We believe the attackers inserted a malicious Java applet onto those sites that used a vulnerability in Java to deliver additional malicious files, including files signed by the compromised certificate.” Sverdlove noted.