Friday-afternoon bad-news announcements have become something of a tradition in the tech industry, and yesterday was no exception as Facebook admitted its employee network had been infiltrated by malicious hackers.
“Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack,” stated the posting on Facebook’s official security blog. “This attack occurred when a handful of employees visited a mobile developer website that was compromised.”
Facebook didn’t say exactly which mobile developer website that was, but a researcher at theStop Malvertising blog did some digging and thinks the malicious code might have been housed on a discussion-forum page at http://www.dreamincode.net. (Don’t go there to find out.)
If so, this would be a textbook example of a “watering hole” attack, in which websites of interest to particular communities are corrupted in order to target that community.
Facebook stated in bold text that no user data was compromised, but was fairly candid about how malware was able to penetrate its employee network.
“The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops,” the statement continued, describing a classic drive-by download in which malware is installed through a Web browser without any user interaction.
“The laptops were fully-patched and running up-to-date anti-virus software,” Facebook said, meaning that not much could have stopped the malware.
Not much, that is, except disabling Java in the browser, as security experts advise all users to do.
“After analyzing the compromised website where the attack originated, we found it was using a ‘zero-day’ (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware,” the Facebook statement said.
“We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”
Facebook’s network penetration sounds an awful lot like what happened to Twitter at about the same time. On Feb. 1, Twitter announced that 250,000 user passwords had been reset following the penetration of the company network.
In his own blog posting, Twitter security chief Bob Lord wouldn’t directly say how his company had been compromised, but gave it away in his advice that all users disable Java in their browsers.
Facebook head of security Joe Sullivan gave more details of the top social network’s breach to the tech blog Ars Technica yesterday.
Sullivan said Facebook researchers managed to isolate and “sinkhole” the malware’s command-and-control server, allowing them to spot traffic from compromised networks at other companies.
“Facebook was not alone in this attack. It is clear that others were attacked and infiltrated recently as well,” the official Facebook posting said. “As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected.”
Aside from Twitter, no other companies have come forward.
It’s not likely that this incident is related to the recently disclosed network penetrations at The New York Times, Wall Street Journal and Washington Post, all of which began months or even years before the Facebook attack.
However, it’s possible that the Facebook and Twitter attacks were the work of Chinese state-sponsored hackers, as the newspaper ones are assumed to have been.
While Eastern European cybercriminals are after money, Chinese hackers are after information, and digging up details on Facebook’s 800 million users would be a jackpot of data that could be leveraged in further social-engineering campaigns.
If one can get all the details from the Facebook account of a high-ranking Western defense-industry executive, it’s all the easier to craft an effective spear-phishing email that the executive would be sure to open.
Still, none of this would have happened had Facebook’s engineers, and presumably Twitter’s as well, hadn’t been running Java in the browser.
“We had already started an initiative to reduce our dependence on products that require Java plugins,” Sullivan told Ars Technica. “But it’s hard to do, because there are so many enterprise applications that require it.”