Facebook recently acknowledged in a blog post that it was hit by a “sophisticated attack” last month.
“This attack occurred when a handful of employees visited a mobile developer website that was compromised,” the company stated. “The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.”
“The bug was uncovered when the Facebook Security team flagged a suspicious domain in its corporate DNS logs and tracked it back to an employee computer,” writes PCMag.com’s Chloe Albanesius. “An examination of the laptop revealed the malicious file, prompting a wider search — and the discovery of more malware. The file in question used a zero-day exploit that bypassed the Java sandbox to install the malware. ‘We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability,’ Facebook said.”
Facebook chief security officer Joe Sullivan told Ars Technica’s Sean Gallagher that an analysis of the malware infection showed that the hackers were trying to access Facebook’s production environment. “The attackers gained ‘some limited visibility’ into production systems, but a forensic review found no evidence that data was exfiltrated from that,” Gallagher writes. “However, some of the information on the laptops themselves — ‘what you typically find on an engineer’s laptop,’ Sullivan said — was harvested by the hackers, including corporate data, e-mail, and some software code.”
Sophos’ Paul Ducklin suggests that if Facebook had implemented a company-wide policy of disabling Java in the browser, this probably wouldn’t have happened. “Even just using a browser with click-to-play (so that Java and Flash applets, amongst others, can’t launch quietly in the background from compromised websites) would surely have been enough,” Ducklin writes. “I’m guessing now, but I’d be very surprised if the mobile developer website alluded to … actually required Java, so there would have been no reason to have Java turned on for that site.”
“The lesson, for those who haven’t heard it several dozen times already: Disable Java in your browser,” writes Forbes’ Andy Greenberg.