Facebook announced this evening that they have been the subject of a security breach impacting laptops used by some of their employees. According to the Facebook statement the laptops of some of their employees were last month infected with malware when they visited a compromised mobile developer website. The compromised site hosted a previosuly unknown Java vulnerability which was used to download malware onto the laptops of the Facebook engineers. Even though those laptops were fully patched and also had up to date anti-virus sofware installed on them the previously unknown malware was able to penetrate these defences and infect the computers.
Facebook discovered the breach when reviewing their DNS logs and noticed traffic going to an unusual destination. Further investigation identified an engineer’s laptop was sending that traffic. Forensic examination of the laptop identified it had been infected with malware. After examining the malware they were able to identify how it behaved and subsequently discovered other compromised laptops on their network. Facebook state that no user data was compromised in the breach.
Facebook also informed Oracle about the previously unknown Java vulnerability. Shortly afterwards Oracle released a patch.
The infected laptops were forensically examined and the information from them and from Facebook’s logs have been shared with law enforcement. The server controlling the malware has been sinkholed and using the data gathered from that server other compromised companies have been identified and informed. For some of those companies the first they knew about the compromise was when they were contacted by Facebook.
Some lessons we can learn from the attack are;
- Criminals will no longer attack your systems directly but use various techniques to indirectly compromise your systems. In this case it was a waterhole attack where exploits are planted on a compromised website known to be visited by the desired target. Note at this stage we do not know whether this particular compromised website was used to target Facebook specifically. It could be this site was being used to target mobile developers in general to subsequently compromise some high value targets.
- Having your systems fully patched with up to data anti-virus software is an important part of your defences but you cannot rely on them as your sole defences. You need to have other layers in place to protect your systems.
- Effective log monitoring and management can provide early indicators of an attack allowing you to react quckly and effectively to the breach. Criminals will target certain group within your organisation due to the access they may have to certain data or systems. In many organisations we’ve worked with IT always have elevated privileges and admin rights to their computers. This makes them an ideal target group for criminals. I do not think it is a coincidence in this case that the criminals compromised a server for mobile developers.
- Good forensic investigations can discover exactly what was compromised and the extent of that compromise. In many cases the response to an infection is to reformat the affected maching and reinstal the software and applications. While this is a quicker way to deal with the issue you sacrifice the ability to properly understand the extent of the breach.
- Working with law enforcement can help in identifying who is behind the attack and disrupt their operation or indeed it could lead to arrests and convictions.
- Sharing information with law enforcement can help identify other potential victims, who may not be aware they were compromised.
- Providing clear and detailed information on how the compromise happened, what was impacted and what is being done to rectify the situation can provide a lot of comfort to your clients.
Well done to Facebook on being able to detect and respond to the attack. I would also commend them on the details they have shared about the incident and hopefully it can help others to learn and improve their own defences.