Earlier today we informed our customers about a potential security concern. Out of respect for our customers, we chose to contact them first before making a statement in public. We wanted to be certain our customers heard from us and had the opportunity they needed to make any changes before we brought this to a wider audience.
In brief, here is what happened. Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised.
We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9.
Our investigation indicates that only three customers were affected by the illegitimately signed malware. We are continuing to monitor the situation. While this is an incredibly small portion of our overall customer base, even a single customer being affected is clearly too many.
Since we discovered this issue, we have been working closely with all of our customers to ensure they are no longer vulnerable to malware associated with the affected certificate. In order to protect our customers’ security, we won’t be going into detail regarding all of the steps we’ve taken, but we can provide a summary of what we have done:
- We revoked the affected certificate and acquired a new one.
- We eliminated the operational issue that led to the illegal access to the certificate and ensured Bit9 is installed on all of our physical and virtual machines.
- While our investigation shows our product was not compromised, we are finalizing a product patch that will automatically detect and stop the execution of any malware that illegitimately uses the certificate.
- We have been proactively monitoring the Bit9 Software Reputation Service for hashes from the illegitimately signed malware.
We endeavor to operate Bit9 with the highest level of security possible. In the interest of security and brevity, we won’t outline it all here, but we will summarize what we do: we operate a complete security stack and a security operations center with a full-time staff monitoring all activity. We have regular third-party security audits. We stay on top of the latest advancements in security technologies and techniques.
While we (and we hope our customers) are comforted somewhat by the fact that this incident was not the result of an issue with our product, the fact that this happened—even to us—shows that the threat from malicious actors is very real, extremely sophisticated, and that all of us must be vigilant. We are confident that the steps we have taken will address this incident while preventing a similar issue from occurring again.
We share a common goal with our customers: defending against the malicious type of activity that caused this incident.
We are committed to doing right by our customers and maintaining their full trust and confidence.