Cyber attacks against journalists and media organizations around the world have increased over the past few years as criminal hackers provide a way of censoring the press beside just to obtain data. After the attack on two media organizations and Twitter, Facebook admitted in February 15th, 2013, that several employees' laptops and computers were compromised in an attack.
The attack attempt on Facebook exploits Java vulnerability to infect the social giant's employees' computers and laptops, in what the company's security team described it as a "sophisticated attack."
"The attack exploited a previously unknown vulnerability in Java", said Joe Sullivan, Facebook's Chief Security Officer. "The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected, regardless of how patched their machine was."
"This looked like a new campaign that wasn't linked to previous Advanced Persistent Threat activities," Sullivan added.
Java has become a frequent target for attackers, with exploits often making their way into malware kits such as the notorious Blackhole kit as well as recently discovered exploit kit known as Whitehole, which was found by security researchers earlier this month targeting the known Java flaws CVE-2011-3544, CVE-2012-1723, CVE-2012-4681, CVE-2012-5076 and CVE-2013-0422.
No user data was compromised in the attack, Facebook's security team noted in its acknowledgement of the incident.
The Attack from the Inside
Facebook that has grown and have more than one billion users, said that the attack was discovered by its security team in January and the company disclosed it on February. 15th. News of this attack surfaced after the attack on Twitter that caused the microblogging service to prompt 250,000 of its users to reset their passwords. Twitter disclosed the attack February 1st after the company detected unusual access patterns.
In Facebook's case, the company said that it was compromised after a handful of employees visited a mobile developer website that had been compromised to serve an exploit that allowed malware to be installed on the employees' laptops.
Although Facebook claims that its employees' computers and laptops were fully-patched and running up-to-date antivirus software, the company discovered the presence of the malware. Before doing any damage, Facebook remediated all infected machines, informed law enforcement and began an investigation.
"In this particular instance, we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop," according to Facebook. "Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops."
"After analyzing the compromised website where the attack originated, we found it was using a "zero-day" (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability."
"Facebook was not alone in this attack," according to the company's security team. "It is clear that others were attacked and infiltrated recently as well. As one of the first companies to discover this malware, Facebook immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected, and plans to continue collaborating on this incident through an informal working group and other means.
The "sophisticated attack" on Facebook could indicate a much larger threat to mobile developers according to security experts. The attacks toward social media platform points to a much larger problem for mobile app developers whose systems could easily be compromised resulting in thousands if not millions of apps being compromised.