Attackers used a Java vulnerability to infect Facebook employees in what the company’s security team described as a “sophisticated attack.”
The attack exploited a previously unknown vulnerability in Java, according to Ars Technica. Facebook Chief Security Officer Joe Sullivan told Ars Technica, “the attack was injected into the site’s HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected, regardless of how patched their machine was.”
“This looked like a new campaign that wasn’t linked to previous Advanced Persistent Threat activities,” Sullivan added.
Java has become a frequent target for attackers, with exploits often making their way into malware kits such as the notorious Blackhole kit as well as recently discovered exploit kit known as Whitehole, which was found by security researchers earlier this month targeting the known Java flaws CVE-2011-3544, CVE-2012-1723, CVE-2012-4681, CVE-2012-5076 and CVE-2013-0422. Earlier this month, Oracle pushed out an emergency patch to address a spate of ongoing attacks against Java.
According to Facebook, which has grown to more than one billion users, the attack was discovered by its security team in January and the company disclosed it on Feb. 15. News of this attack came on the heels of an attack on Twitter that caused the micro-blogging service to prompt 250,000 of its users to reset their passwords. Twitter disclosed the attack Feb. 1 after it detected unusual access patterns.
In the case of Facebook, the company said Friday that it was compromised after a handful of employees visited a mobile developer Website that had been compromised to serve an exploit that allowed malware to be installed on the employees’ laptops.
“The laptops were fully patched and running up-to-date antivirus software,” according to Facebook. “As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement and began a significant investigation that continues to this day.”
No user data was compromised in the attack, Facebook’s security team noted in its acknowledgement of the incident.
“In this particular instance, we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop,” according to Facebook. “Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched companywide and flagged several other compromised employee laptops.”
“After analyzing the compromised Website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on Feb. 1 that addresses this vulnerability.”
As part of its investigation, Facebook contacted security teams at other companies as well as law enforcement.
“Facebook was not alone in this attack,” according to the company’s security team. “It is clear that others were attacked and infiltrated recently as well. As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected.”
“We plan to continue collaborating on this incident through an informal working group and other means,” the team said.