Examining How Facebook Got HackedZero-Day Exploit Bypassed Java Protections to Install Malware
Even the most savvy information technologists aren't immune from cyber-attacks. Just ask Facebook. The social-media titan says it fell victim to a sophisticated attack discovered in January in which an exploit allowed malware to be installed on employees' laptops.
See Also: The 5 Foundational DevOps Practices
In a blog posted by Facebook Security on Feb. 15, the company said it found no evidence that Facebook user data was compromised.
Here's what happened at Facebook, according to its blog:
Several Facebook employees visited a mobile developer website that was compromised. The compromised website hosted an exploit that then allowed malware to be installed on these employees' laptops.
"The laptops were fully-patched and running up-to-date anti-virus software," the blog says. "As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement and began a significant investigation that continues to this day."
Facebook Security flagged a suspicious domain in its corporate DNS (Domain Name Servers) logs and tracked it back to an employee laptop. The security team conducted a forensic examination of that laptop and identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops.
After analyzing the compromised website where the attack originated, Facebook found the site was using a previously unseen, zero-day exploit to bypass the Java sandbox (built-in protections) to install the malware. Facebook immediately reported the exploit to Oracle, and Oracle confirmed Facebook's findings and provided a patch on Feb. 1 that addressed the vulnerability.
Facebook says it wasn't the only victim of this exploit. "It is clear that others were attacked and infiltrated recently as well," the blog says. "As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected. We plan to continue collaborating on this incident through an informal working group and other means."
The social-media company says it is working with law enforcement and the other organizations affected by this attack. "It is in everyone's interests for our industry to work together to prevent attacks such as these in the future," Facebook says.
Sharing threat information has received much attention in Washington this past week. President Obama, in his State of the Union address on Feb. 12, announced an executive order that calls on the government to share cyberthreat information with critical infrastructure owners and called for legislation to allow businesses to share threat information with the government and with each other [see Obama Issues Cybersecurity Executive Order]. The following day, the heads of the House Permanent Select Committee on Intelligence introduced a bill to do just that [see Is Compromise in Offing for CISPA?] .
Facebook is the latest high-profiled media company to reveal it's been victimized by intruders. The New York Times, Wall Street Journal, Twitter and Washington Post have reported their websites being attacked [see N.Y. Times' Transparent Hack Response and Twitter, Washington Post Report Cyberattacks].
The Facebook attack is reminiscent of the 2011 breach at security provider RSA, when a well-crafted e-mail tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems [see 'Tricked' RSA Worker Opened Backdoor to APT Attack].