The bad news: Facebook was one of the victims of what it called a “sophisticated attack,” whereby some of its employees’ laptops were inflicted with malware, and the investigation into the source of the attack is still ongoing. The good news: The social network said it found no evidence that user data were compromised.
The Facebook employees’ laptops were stricken after visiting the website of a mobile developer, which had already been infected. Other companies were affected, as well.
Facebook offered more details on the attack and the measures it took to defend itself and its users in a note on the Facebook Security page:
Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit, which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date antivirus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.
We have found no evidence that Facebook user data were compromised.
Facebook Security has a team dedicated to tracking threats and monitoring our infrastructure for attacks at all times. In this particular instance, we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop. Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched companywide and flagged several other compromised employee laptops.
After analyzing the compromised website where the attack originated, we found that it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and it confirmed our findings and provided a patch on Feb. 1 that addresses this vulnerability.
We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future.
This looked like a new campaign that wasn’t linked to previous Advanced Persistent Threat activities.
The attack was injected into the site’s HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected, regardless of how patched their machine was.
It was novel. The fact that the machines were patched didn’t slow down the attackers.
They were trying to move laterally into our production environment.
We had already started an initiative to reduce our dependence on products that require Java plugins, but it’s hard to do, because there are so many enterprise applications that require it. If it wasn’t a Java plugin vulnerability, it could have been another.
People stayed cool under fire. To me, that felt like a good kind of response to a bad situation.
Image courtesy of Shutterstock.