The security firm Bit9 released a more detailed analysis of the hack of its corporate network was part of a larger operation that was aimed a firms in a “very narrow market space” and intended to gather information from the firms.
The analysis, posted on Monday on Bit9’s blog is the most detailed to date of a hack that was first reported on February 8 by the blog Krebsonsecurity.com, but that began in July, 2012. In the analysis, by Bit9 Chief Technology Officer Harry Sverdlove said 32 separate malware files and malicious scripts were whitelisted in the hack. Bit9 declined to name the three customers affected by the breach, or the industry segment that was targeted, but denied that it was a government agency or a provider of critical infrastructure such as energy, utilities or banking.
The broad outlines of the story about the hack of Bit9, which sells application “whitelisting” technology remains the same. The company said that attackers gained access to their network by exploiting a vulnerable, Internet facing application using a SQL injection attack. That compromise gave the attackers control over two Bit9 user accounts which were used to access to a virtual system within Bit9 that was not protected by the company’s software, and that contained an older digital code-signing certificate that was valid, but no longer in use by Bit9. The compromised signing server had been inactive, but was brought online temporarily in July, then taken offline until December, 2012, at which point the attack resumed.
According to Sverdlove, the attackers placed two variants of a remote malware known as “HiKit” on Bit9’s network, each communicating out to a different remote command and control (C&C) infrastructure. The attackers then downloaded malicious files, including variants of the “HiKit” and “HomeUNIX” backdoors, signed them using the Bit9 certificate, and then retrieved those signed files from Bit9, Sverdlove wrote.
Those signed files and scripts were later deposited on customer networks that had been compromised in what Bit9 described as a “watering hole style attack, similar to what was recently reported by Facebook, Apple and Microsoft.” Because the applications had been signed by Bit9, they were treated as legitimate applications on the three customer networks that were the intended targets.
HiKit is known as a sophisticated Trojan horse program that is used specifically for information gathering. In this August, 2012 report, the security firm Mandiant described it as a sophisticated program that combines “advanced capabilities with exceptionally clever mechanisms for persistence and hiding on a host.”
The analysis is bound to spark more speculation about the targets of the attack and the parties responsible for carrying out the hack of Bit9 and of the target companies. Initial results from Bit9’s analysis point to attackers in China and the Asia-Pacific region, though firm ties to any country are hard to find. Among other things, analysis of the malicious applet dropped on customer networks shows it is a Hydraq dropper that drops a variant of the Hydraq (aka Aurora) trojan. That malware has been used in sophisticated attacks on technology firms, including Google.
As for what customers were targeted, its difficult to know for sure. Weeding out government, financial services and critical infrastructure leaves two other main categories of Bit9 customers: retail and technology and services companies, including Internet services, social networking and search. In addition, Bit9’s likening of the attack to those against Facebook, Twitter and Apple in recent weeks raises the question as to whether the hack was related to that attack. One final clue: at least one beacon from a compromised system on Bit9’s network connected to an IP address that is “part of a recent sinkholing operation.” That may refer to Facebook’s recent efforts to sinkhole the command and control infrastructure that was behind an attack on its users.