Facebook has confirmed that computers belonging to some of its engineers were compromised following an attack that exploited a zero-day Java vulnerability. However, the company says it does not appear that the hackers gained access to Facebook user data.
On the company blog, Facebook wrote, “Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day. We have found no evidence that Facebook user data was compromised.”
The Inquirer’s Dave Neal added, “The problem was traced back to a ‘suspicious domain’ in the Facebook DNS logs and an employee laptop. A malicious file was found on that laptop, and then, during a company-wide search, on several other employee laptops. Analysis showed that it was a zero day exploit that was able to bypass the relevant Java sandbox protections and install malware. Facebook told Oracle about this and the company released a patch to take care of it earlier this month.”
Ars Technica’s Sean Gallagher added, “But other companies who were affected by the same hacking campaign may not have been so lucky. Facebook’s internal security team worked with a third party to ‘sinkhole’ the attackers’ command server, taking over the network traffic coming into it from systems infected by its malware. They discovered traffic coming from several other companies, according to Facebook Chief Security Officer Joe Sullivan. Facebook notified those companies of the attack, and it has turned the case over to federal law enforcement. An investigation is still ongoing. While some of the affected companies were aware of an ongoing attack, others were unaware of the problem before being notified by Facebook.”
According to SlashGear’s Chris Burns, “Similar attacks have been popping up recently in several places, one of them relating to Twitter’s recent incident in which 250,000 account passwords were stolen. Another related event occurred with Mozilla as they made Java instances blocked by default – can’t be too careful!”