UPDATE – The missing link connecting the attacks against Apple, Facebook and possibly Twitter is a popular iOS mobile developers’ forum called iPhoneDevSDK which was discovered hosting malware in an apparent watering hole attack that has likely snared victims at hundreds of organizations beyond the big three.
It’s not clear whether the site remains infected, but researcher Eric Romang dug into the situation and determined that the site was hosting malicious javascript that was redirecting visitors to another site, min.liveanalytics. That site had been hosting malware as of Jan. 15.
Ian Sefferman, cofounder of a number of sites hosting mobile developer resources including iphonedevsdk, confirmed in a post today that it was part of the attack on Facebook.
“We were never in touch with Facebook, any other companies, or law enforcement before yesterday,” Sefferman told Threatpost today. “We immediately reached out to Facebook’s CSO and have been working together since then. We’d be happy to work with other involved organizations to find out exactly how this hack occurred and who was behind it.”
Sefferman said an administrator account was compromised and the attackers were able to modify a theme on the site and inject malicious javascript.
“As the most widely read, dedicated iOS developer forum, we’re targeted for attacks frequently,” Sefferman wrote, adding that the site’s webhost Vanilla Forums was not to blame in the attacks and that all user passwords have been reset. “We’re still trying to determine the exploit’s exact timeline and details, but it appears as though it was ended by the hacker on Jan. 30.”
This appears to be a textbook watering hole attack where unconnected victims linked by a common interest visit a compromised website which redirects them to the attack site hosting malware. The malware then would enable an attacker to maintain some type of persistence within the target organization.
“In the purest sense, you’ll see very subtle and graceful attempts to compromise sites that have virtually nothing to do with one another in terms of content, but at a higher geo-political level such as with the high tech or defense industrial base, there is a commonality,” said Will Gragido, senior manager for RSA Security’s FirstWatch Advanced Research Intelligence team. “They’ll look for vulnerabilities on the site, post a redirection tag and catch some targets of opportunity affiliated with a target of interest; by doing that, they can go upstream to compromise the target of interest.”
Romang proposed these attacks were not highly targeted against a particular company, and he may be right with a number of reports surfacing that the attacks against Facebook and Apple hit Mac OS X machines with a Java zero-day exploit, and that hundreds of tech and defense industrial base firms may have been hit as well. The attackers may have been trying to gain a widespread foothold inside some popular mobile applications, rather than simply attack Apple or Facebook developers.
“I don’t think it is a ‘highly’ targeted attack, because it is just another watering hole campaign with another Java 0day,” Romang told Threatpost via email. “Maybe what was sophisticated in this case is that the deployed malware was hitting Mac OS X computers.”
Romang’s research indicates the attacks likely started around Jan. 22 when javascript on iphonedevsdk called out three times to min.liveanalytics; the min.liveanalytics domain was registered Dec. 8, 2012. By Jan. 24, min.liveanalytics was down, Romang said. A WayBack Machine cache of the iphonedevsdk site on Jan. 15, however, revealed a Google Chrome warning that malware was present on the site.
Yesterday, Chris Wakelin, a researcher, posted on Twitter that an exploit for CVE-2013-0431 had been discovered in the Cool Exploit Kit. This vulnerability is the second bug discovered by Adam Gowdiak in the MBeanInstantiator in Java in early January which was incompletely patched by Oracle; it enables a complete Java sandbox bypass, Gowdiak wrote on the Full Disclosure mailing list.
Facebook disclosed last Friday that a number of its employees’ laptops had been compromised by malware that targeted a Java zero day and was able to bypass the platform’s sandbox. Apple made its disclosure yesterday that it had been hit by the same crew that attacked Facebook and by the same exploit. The company said that a small number of Mac OS X machines had been infected, but a report by Reuters said that the same attack was used against Apple machines at many other companies.
Twitter, meanwhile, has not fessed up to being part of the same attack, but the timeline corresponds, Romang said. Twitter reported on Feb. 1 that it was alerting users that up to 250,000 accounts may have been compromised and that session tokens and passwords may have been accessed. It also recommended that users disable the Java browser plug-in.
In the meantime, the Java security world has been in total flux during since late last year. Similar watering hole attacks against the Council on Foreign Relations website, as well as a number of human rights and manufacturing sites worldwide, were blamed on fresh Java exploits against previously unreported vulnerabilities. Oracle had also sent out three Java updates between Dec. 11 and Feb. 1, including Java SE 7 Update 11 which changed by default the security settings in Java from medium to high, requiring manual approval for the execution of unsigned Java applets. Likely, the developers compromised in this attack weren’t running an up to date version of Java, or were allowing the execution of untrusted Java apps, Romang said.
Yesterday, Oracle patched five more vulnerabilities, completing its February Critical Patch Update. Its Feb. 1 release was accelerated to address the rampant zero days in the weeks leading up.
This article was updated at 1:30 p.m. ET to include comments from iPhone Dev SDK cofounder Ian Sefferman.