Laptops belonging to several Facebook employees were compromised recently and infected with malware that the company said was installed through the use of a Java zero-day exploit that bypassed the software’s sandbox. Facebook claims that no user data was affected by the attack and says that it has been working with law enforcement to investigate the attack, which also affected other unnamed companies.
Facebook officials did not identify the specific kind of malware that the attackers installed on the compromised laptops, but said that the employee’s machines were infected when they visited a mobile developer Web site that was hosting the Java exploit. When the employees visited the site, the exploit attacked a zero-day vulnerability in Java that was able to bypass the software’s sandbox and enable the attackers to install malware. The company said it reported the vulnerability to Oracle, which then patched the Java bug on Feb. 1.
“Facebook Security has a team dedicated to tracking threats and monitoring our infrastructure for attacks at all times. In this particular instance, we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop. Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops,” the company’s security team said in a blog post.
“After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”
The kind of attack that Facebook’s security team described is a very common scenario. Attackers regularly compromise legitimate Web sites, plant exploit code on them that targets a specific vulnerability or group of vulnerabilities and then wait for users to hit the site with vulnerable browsers. They often run these attacks with exploit kits such as Blackhole or Eleonore and typically use exploits for known vulnerabilities rather than zero days, which are much more valuable to attackers. Once a zero day is used and then discovered, as in the Facebook attack, it loses most of its value to attackers, so they tend to be selective in their use of them.
An exploit that is able to bypass the Java sandbox would be especially valuable to an attacker, given the huge installed base of Java. There have been several such exploits circulating in recent weeks, but it’s not clear which one Facebook security personnel discovered on their network.
Facebook officials were not specific about what other companies they believe were also victims of this attack, but said that once the company discovered the malware and traced it back to the originating domain, it began sharing data about the attack with other companies.
“Facebook was not alone in this attack. It is clear that others were attacked and infiltrated recently as well. As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected. We plan to continue collaborating on this incident through an informal working group and other means,” the company said.