The terribleness of security companies never ends. The latest example of that is something we ran across today while looking in to a claim that outdated software was the cause of a security issue on a server. What had been pointed to as evidence of that was a report from a security company named BitNinja. That report was claiming that there was malicious activity based on emails being sent from software on a website, but based on the information provided there was nothing that we could see that would indicate if there really was an issue or if there was a false positive happening (it would seem that the company doesn’t have a good understanding of what information is important to determine that sort of thing).
In looking over BitNinja we quickly ran across evidence of them spreading false information, which happened to involve a topic we just discussed earlier today, exploitation of a recently fixed vulnerability in MODX. The title of a blog post on their website made a striking claim about that, “Critical zero-day vulnerability in MODX Revolution patched by BitNinja WAF”. A zero-day vulnerability refers to a vulnerability that is being exploited before the developer is aware of it, so they have had zero-days to fix it. That obviously is quite concerning since doing the security basic of keeping software up to date wouldn’t protect against and if there was a security system that could protect against such a situation it would be useful.
With a website that had been hacked through that vulnerability the attempts to exploit it on that website started about a week after the vulnerability was fixed, with the first attempts logged on July 19. There was nothing we saw in looking into the situation that would indicate that that this was a zero-day vulnerability.
BitNinja seems to either not have any idea what they are talking about or intentionally misleading people as their claim that this is zero-day vulnerability is based on spotting exploitation attempts two weeks after a fix for the vulnerability had been released:
At 26th July at 6 PM, the flow has been started according to our data. This botnet is really aggressive, as, in the first 6 hours, we detected almost 13.000 attacks!
They also were quite behind in even spotting the attacks, which doesn’t say great things about them either.
Blaming the Victim
Looking at their About Us page a couple of things stood out to us, one of them being them starting with a claim of near equivalency between hackers and people running web servers:
We believe every server owner is responsible for their servers. If they have been hacked – and used for cybercrime – the owner is almost as guilty as the hacker is.
There also is the basis of their business that doesn’t seem to be from a security background, but one of a web host not being able to maintain their servers:
We couldn’t ensure the security of our servers beyond applying continuous updates. To make matters worse, we started losing customers after a series of downtimes. We quickly realized that server security is not a question of a single component but is about several components working together to harden a server. This inspired us to create BitNinja, an all-in-one security solution designed for hosting providers.
They don’t make any claim to having security expertise on that page (not that it would mean much based on what we have seen of security companies making such claims).