Facebook on Friday announced its systems were compromised last month as part of a sophisticated attack exploiting a Java vulnerability. Although the investigation is still ongoing, the company says it has “found no evidence” that “user data was compromised.”
Facebook explains its security team discovered sometime in January that “a handful of employees” had visited an unnamed compromised mobile developer website hosting a Java exploit which then allowed malware to be installed on these employee laptops. Facebook says that the laptops in question “were fully-patched and running up-to-date anti-virus software.”
Facebook doesn’t give much of a timeline as to when the malware was installed nor when it discovered its existence. The company does say, however, that upon its finding, the infected computers in question were immediately remediated, law enforcement was contacted, and a “significant investigation” was launched “that continues to this day.” Facebook also says it is still working with security teams at other companies and with law enforcement authorities to learn everything about the attack and how to prevent similar incidents in the future.
Here’s the crux of what Facebook knows so far:
In this particular instance, we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop. Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops.
After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.
Security gurus will remember that on this day Oracle released Java 7 Update 13. That patch addressed 50 vulnerabilities and arrived more than two weeks early (the February 2013 Critical Patch was originally scheduled for February 19), but it was rushed out because Oracle was notified of “active exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.”
It’s still not clear which one of the 50 fixed flaws was the reason for the JRE rush fix. As we noted when Update 13 was released, between the previous patch and this most recent one, multiple vulnerabilities have been publicly discussed: at least one was being sold for $5,000 on January 16, two we reported about on January 18, and another one was mentioned on January 28.
Facebook says it was not alone in this attack, declaring that “it is clear that others were attacked and infiltrated recently as well” but the company’s influence definitely got Oracle moving. The social firm also said it was “one of the first companies” to discover the malware and thus started sharing details about the infiltration with other affected firms and “entities.”
You might be wondering why Facebook is only revealing this information now, especially given that it has 1 billion users, many of whom share very personal information on the social network. The reason is simple: don’t share bad news until you have something good to say (in this case, that user data is safe as far as the company can tell right now, the malware has been removed, and the flawed software has been patched).
This is probably why Facebook has waited at least two weeks (it’s likely more given that the breach was discovered in January, but the company won’t say exactly when) to reveal it was attacked. It’s also likely the reason why the news is being revealed on a Friday, and not, say, a Monday.
Facebook made the following promise to its members and the broader public: “We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future.”
Correct. This is not the first time popular software like Oracle’s Java has been used to infiltrate companies, it won’t be the last, and those affected need to team up to fight back.
Image credit: Armin Hanisch