“Last month,” noted the company, “Facebook Security discovered that our systems had been targeted in a sophisticated attack.” It was a waterhole attack aimed at mobile developers. “This attack occurred when a handful of employees visited a mobile developer website that was compromised.” The exploit hosted on the developer site was a Java zero-day (patched by Oracle on 1 February) and it is likely that mobile developers from other companies would have been similarly compromised.
Facebook discovered the breach when it “flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop.” Examination of the laptop found it to be compromised, and a wider search discovered several other compromised laptops. Examination of the developer website “found it was using a ‘zero-day’ (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware.”
The infected laptops, says the company, “were fully-patched and running up-to-date anti-virus software.” Since the exploit was a zero-day Java exploit, it is understandable that that the anti-virus failed to stop it. However, in a separate interview with Ars Technica, Facebook’s CSO Joe Sullivan said the company recognized the malware that was deposited. “Facebook's security team has a dedicated malware researcher, Sullivan said, who was able to identify the malware,” reports Ars. “After analyzing it, the Facebook security team shared signature and forensic data from the malware with law enforcement and other companies.”
This asks some questions of the anti-virus being used by Facebook. Although it would be easy enough for the attackers to tweak the malware to defeat currently known signatures, if the malware was recognizable to Facebook staff then its behavior should also be known to the AV companies. The question then is whether the AV’s behavioral analysis should have detected its presence.
Facebook is adamant that no user data was compromised. “We have found no evidence that Facebook user data was compromised,” it says. Sullivan told Ars Technica that the attackers “were trying to move laterally into our production environment,” and that although they gained some visibility, they did not succeed in exfiltrating any data. “However, some of the information on the laptops themselves – ‘what you typically find on an engineer's laptop,’ Sullivan said – was harvested by the hackers, including corporate data, e-mail, and some software code.”
This latest breach confirms current advice. Do not use Java, or have java plug-ins enabled in browsers, unless absolutely necessary. “I'd be very surprised,” comments Sophos’ Paul Ducklin, “if the mobile developer website alluded to above actually required Java, so there would have been no reason to have Java turned on for that site.” It also demonstrates that while up-to-date AV and patching remains essential, it is not enough. Ducklin suggests an intrusion prevention system (IPS) would help discover intruders and prevent exfiltration. Rob Kraus, director of research at Solutionary Security Engineering Research Team (SERT) recommends increased intelligence. “To fully combat threats, organizations have to start knowing what the bad guys know – that is the only way to have a fighting chance.”