Apple has revealed it was also targeted by the same sophisticated attack that infected Facebook employees' computers.
Apple workers' Macintosh computers were infected with the malicious software when they, like the Facebook employees, visited a mobile developer Web site.
The software infected Macs by exploiting a flaw in a version of Oracle's Java software, which is used as a plug-in on Web browsers. There is also a version of the malware that infects computers running Microsoft's Windows operating system.
Sources close to the investigation have also said the hack attack that saw 250 000 Twitter accounts being compromised earlier this month originated from the same Java vulnerability, and was part of the same campaign which targeted Facebook and Apple.
Both Apple and Facebook indicated in their statements that many other companies were also targeted by the attack. While they have not gone into any detail about the scale of the attack, a Bloomberg report claims the same attack has impacted no less than 40 companies. It is not yet clear if all infected computers have been identified, or how long this attack has been going on.
Senior security advisor at Sophos, Chester Wisniewski, says based on the information that is publicly available, the hack attack is likely what is known as a "watering hole attack".
"The concept is that it is much easier to compromise a site where people might frequently go than it is to assault the company directly," says Wisniewski. This type of attack doesn't involve having to get a target to open an e-mail or click on a malicious link.
"Trying to break through all of the layers of protection at Facebook and Apple is going to be extremely difficult. Yet it might be much easier to compromise the security of a small application developers' Web site that Apple, Facebook and other high value targets might frequently visit."
Stealing company secrets
There are conflicting reports about the origin of the attacks. Some have immediately pointed the finger at China and the group of computer hackers that has been traced back to a government military building in Shanghai.
The Bloomberg report, however, says sources familiar with the matter have indicated the type of malware used in these attacks suggests it is the work of cyber criminals rather than state-sponsored espionage.
Investigations have given them reason to suspect a Eastern European group of cyber criminals who are trying to "steal company secrets" using at least one server traced back to a Ukrainian hosting company.
In a media statement, Apple has said: "The malware was employed in an attack against Apple and other companies, and was spread through a Web site for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware."
Apple added that since OS X Lion, Macs have shipped without Java installed and OS X automatically disables Java if it hasn't been used for 35 days. Apple has now also released a Java malware removal tool to protect Mac users who do have Java installed.
According to Reuters, investigators have said the malware has been distributed, at least in part, by a site aimed at iPhone developers.
Other reports claim that iphonedevsdk.com is the "mobile developer site" in question. AllThingD has received a statement from the owner of the site, Ian Sefferman, who said: "We're investigating Facebook's reports that iPhoneDevSDK was hosting an exploit targeted at Facebook employees. We're actively ensuring that is not the case.
"Facebook originally noted that they immediately reached out to other affected companies, but we were never contacted by Facebook, any other company, or law enforcement. Our users' security is incredibly important to us and we'll be sure to follow the investigation through to completion."
A bite out of Mac
Wisniewski notes that Apple's OS X has become popular enough among people who are likely targeted by malware that it is "no longer being neglected by the criminals behind online attacks".
"Those people who have said 'only dumb Mac users would voluntarily install malware' might be surprised to learn that even Apple's own engineers can fall victim to a drive-by."
One of Reuters' unnamed sources close to the matter is quoted as saying: "This is the first really big attack on Macs. Apple has more on its hands than the attack on itself."
Prominent Apple security expert Charlie Miller also said: "The only thing that was making [the Mac] safe before is that nobody bothered to attack it. That goes away if somebody bothers to attack it."
Wisniewski says this hack isn't about the capabilities of users or the type of Web sites they frequent: "An unpatched vulnerability impacts all of us the same way. This is why it is essential to run anti-virus regardless of the platform in use. It is also important to carefully monitor network traffic by using an IPS and firewall.
"People often think of their firewall as a simple blocking mechanism, but it also serves a forensic purpose. If you are Apple or Facebook and you need to know what data may have been ferreted off to your criminal overlords, the detailed logs from your monitoring solutions are essential to the forensic investigation team," says Wisniewski.
Share