Behind The Facebook Breach And Other High-Profile Attacks


Facebook is investigating a data security breach of its systems following the discovery of malware on the laptops of several of its employees.

The company said the attack occurred last month when a "handful" of employees visited a mobile developer website that was compromised. The laptops were fully patched and running up-to-date antivirus software, the company said in a security alert to Facebook users Friday.

"The compromised website hosted an exploit, which then allowed malware to be installed on these employee laptops," the company said." As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day."

[Related: Data Breach Threat Intelligence By The Numbers
]

There is no evidence that any Facebook user data was compromised, the company said. The attackers appeared to be targeting specific individuals as part of surveillance activities. Facebook said the attackers used a Java zero-day vulnerability, bypassing the sandbox built-in security restrictions to install the malware. Oracle issued an emergency patch fixing the Java zero-day vulnerability Feb. 1. It was the second time in a month that the company rushed out a Java security update.

Facebook's internal engineering teams are working with security teams at other companies as well as law enforcement to learn about the breach and how it can prevent it in the future. The company said it detected the intrusion after its monitoring team flagged a suspicious domain in its corporate DNS logs and tracked it back to an employee laptop. Forensics investigators identified the malicious file on the laptop and flagged several other compromised laptops.

"As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected," Facebook said. "We plan to continue collaborating on this incident through an informal working group and other means."

The Facebook breach announcement follows a string of high-profile attacks in recent weeks. Twitter reset the passwords of some of its earliest account holders following a successful infiltration of that social network's systems that could have exposed the sensitive data. The New York Times and The Wall Street Journal also revealed sophisticated attacks targeting their journalists.

Many of the campaigns stem from so-called Watering Hole attacks, in which a website commonly visited by the targeted individuals is compromised and hosts malware that installs on visitors' PCs. A report issued in January by Symantec connected the Watering Hole attack technique to at least one cybercriminal gang.

Experts say zero-day attacks are becoming a significant threat to organizations but, unfortunately, there isn't a lot IT administrators can do to secure desktops and laptops. They have to ensure that all hosts are correctly patched and then use gateway devices to filter out exploit code or look for suspicious Web URLs, said Gunter Ollmann, CTO of IOActive, in a recent interview with CRN. Intrusion prevention systems may not recognize an actual zero-day itself but it can detect the signs of an intrusion based on the origin of the attack, he said.

Over the past couple of years botnet operators and malware writers have become more specialized, offering their services to other cybercriminals, Ollmann said. Botnet operators in particular have the infrastructure capable for communicating via multiple channels to command and control servers and can rent them out as a service, Ollmann said.

"The last few years the business model of many cybercriminals has shifted to specializing in driving traffic to malicious websites," Ollmann said. "They exploit the Web browser and then drop malware on those boxes and we're finding that the malware belongs to other criminal groups."

PUBLISHED FEB. 19, 2013