The security firm Bit9 disclosed Friday that it has been the victim of a hack and that attackers have used the firm’s own software to spread malware even further.
The hack was first reported by Krebs on Security’s Brian Krebs, who noted that Bit9’s own encryption keys were on several pieces of malware — essentially making the security firm, which certifies safe software, a vector for the distribution of the bad software.
Confirming the attack, the company said that the problem was not due to a flaw in its software, but because it hadn’t fully locked down its own computer systems.
“Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network,” the company’s chief executive officer, Patrick Morley, said in a blog post Friday. “As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware.”