Facebook disclosed Friday that it was the target of a "sophisticated"
cyberattack, in the latest example of malicious hackers exploiting a weakness
in Java software.
The world's largest social network said there was no evidence that any
Facebook members' information was compromised, in contrast with a recent
Java-related attack on Twitter, where officials announced two weeks ago that
up to 250,000 users' names and passwords may have been accessed.
But in the latest disclosure, Facebook reported that its investigators
found clear evidence that other companies were affected by the same scheme,
known as a "watering hole attack," in which hackers planted malicious software
on a website frequented by developers who build mobile software applications.
Security experts say that's a classic scheme used by hackers who are
hoping they will get access to all kinds of useful or valuable data, including
source code, user passwords or even financial information. It's unclear
whether the hackers knew that Facebook engineers were among those likely to
visit the contaminated site.
The site transferred malicious code to the laptops of several Facebook
engineers, according to a statement posted on a Facebook security blog Friday
afternoon. Facebook said the infection was caught before it transferred any
code to the company's main network or servers.
While the malware gave the hackers "limited visibility" into some of
Facebook's servers, the company said it found no evidence that any information
was "exfiltrated" or harvested from the servers. The hackers may have obtained
some programming code or other data from the engineers' laptops, however.
Facebook said its engineers' laptops were equipped with up-to-date
security software, but the hackers exploited a "zero-day" vulnerability,
meaning a flaw in Java that security experts had not previously identified.
The company's security systems eventually detected the malware last month,
after a period of time that Facebook did not disclose.
A Facebook spokesman declined to comment, saying the case is under
investigation. Facebook said it notified law enforcement authorities as well
as officials at Oracle (ORCL), which owns the rights to Java and is
responsible for producing security updates. Oracle issued a security patch for
the flaw on Feb. 1.
Security experts said the Facebook and Twitter hacks appeared to be
different from recent cyberattacks on several media organizations, including
The New York Times, which appeared to originate from China.
The latter attacks seemed to be aimed at gathering politically sensitive
information, such as the names of dissidents who spoke with Western news
media, while the Twitter and Facebook hackers were more likely hoping for some
kind of financial gain, said Andrew Storms, director of security operations
for nCircle, a San Francisco company that sells data-security products to
corporate clients.
Despite repeated patches and warnings from security experts, many believe
the widely used Java software is still vulnerable to new attacks. For hackers,
"the Java vulnerability is very popular right now," added George Tubin, senior
security strategist at Trusteer, which sells security programs for business
computers.
