Friday, February 1st: Twitter announced it was hacked. The post (Keeping our users secure) by Bob Lord, Director of Information Security, was sparse on details but recommended disabling Java's browser plugin.
And according to Lord, the attackers "were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."
Friday, February 15th: Facebook announced it was hacked. According to the Security Team's note (Protecting People On Facebook), a handful of employees visited a compromised website hosting a Java "exploit which then allowed malware to be installed on these employee laptops."
So, disable Java's browser plugin by default, and only enable it when you really need to do so. But we already knew that, didn't we?
And while everybody else is bashing Oracle, we have a more interesting question: what malware on what type of laptop?
Why? Because Macs are the type of laptop we almost aways see in Facebook's employee photos.
As we've already speculated on February 4th, an exploit opens the door — what walked through that door and onto the hip young Silicon Valley developer's MacBook?
Well, interestingly enough, last Friday evening, we received (via a mailing list) new Mac malware samples to analyze. Samples that were uploaded to VirusTotal on January 31st, one day before Twitter's announcement.
One type of sample are custom compiled SSH daemons which we suspect are very likely dropped by an exploit. The others aren't actually "samples" insofar as they aren't binaries, they're one line of program (Perl) which runs at startup and opens a reverse shell.
The URLs used include: a misspelling of "Apple Corp"; something that sounds like a digital consulting company; and something that pretends to be a cloud storage service.
Okay, so there's a Mac threat out there and most Mac users are completely unaware of it. They have a false sense of security. That's bad, right? But that's not even the worst of it when you really consider all of the details. What was the compromised website which hosted the Java exploit? According to Facebook's note, it was a mobile developer website!
Get it? A "watering hole" attack targeting mobile application developers.
As in… can't hack mobile devices? Okay then, go up stream and hack mobile application developers. At which point you can inject whatever you want into the developer's source code.
Twitter and Facebook obviously have dedicated security teams on the lookout for trouble. (They're big targets.) Unfortunately, other smaller Silicon Valley startups (with big user bases) don't have the same resources. At this point, we really hope somebody has been in touch with the folks at WhatsApp, which according to Google Play, has at least 100 million installations.
There are hundreds of thousands if not millions of mobile apps in the world. How many of the apps' developers do you think have visited a mobile developer website recently? With a Mac… and a very false sense of security?
We'll all be very lucky if this watering hole was only really trying to target big players such as Twitter and Facebook. On the other hand, if the campaign had a broader goal of hacking as many developers as possible — it really calls into question current bring your own device policies. BYOD = Bring your own destruction?
SSH daemon compromised systems will have one of the following:
• com.apple.cupsd.plist • com.apple.cups.plist
Perl compromised systems will have one of the following:
• com.apple.cocoa.plist • com.apple.env.plist
Any developer who has Java enabled in his browser, has visited mobile developer websites in the last couple of months, and finds evidence his computer is compromised — probably should use his source code versioning system to check recent commits.
And if you don't use a source code version system (such as SVN or Git), have fun re-reading your entire code base.
Edited to add: And it should almost go without saying that developers using Windows should practice the same vigilance.