Facebook has confirmed that they were a victim of a targeted attack that leveraged a previously unknown Java vulnerability. The zero-day exploit was used to infect the laptops of several engineers with malware that apparently was used to attempt a full-scale infiltration of the inner sanctum of Facebook.
Facebook reported that all of the infected laptops were protected by antivirus software and were fully patched with the most recent version of Java. This should serve to underscore the danger of running Java without using “click-to-play” features that prompt the user to run the code when a website requests it. It also should serve the emphasize that the internet is indeed a dangerous place for everyone, even software engineers. Average users rarely install patches when they’re available, though corporate systems may force the issue on those fortunate enough to have managed systems. Still, every defense in their arsenal was inadequate to prevent several of their employees from getting the malware; which was discovered by another team charged with examining DNS logs. Imagine if it had gone undetected?
The incident may have been instrumental in getting Oracle to issue the emergency patch on February 1st, 2013. It appears that an informal working group was formed between Facebook and other companies affected by the exploit. This highlights the targeted nature of the attack. Hackers likely used social engineering to trick the users into visiting websites containing the malicious code. The drive-by nature of the attack did not require any other actions than visiting the site with Java enabled in the browser. It has been speculated that large-scale attacks are more likely as the hackers grow more sophisticated and traditional extortion schemes are being actively prosecuted by law enforcement. It reminds this author of the targeted attacks on the Iranian Nuclear facilities that went undetected for years until they inadvertently spread outside of the intended target.
The take-home message here is this: Don’t run third-party software unless you need it. If you do, be sure to disable it in the browser (or at least require click-to-play). By all means keep third-party software patched, along with the operating system itself. Antivirus software is still necessary, even though it appears to have been ineffective in this case. Perimeter security such as a unified threat management (UTM) Firewall is another important component. Lastly, though email is not reported as a factor in this exploit, we strongly recommend a comprehensive hosted email security strategy that helps to prevent infected files from arriving in your inbox.