If you or someone connected to your network — a family member or an
employee, for instance — visited one particular malware-ridden website
in the last few months, you may be in a lot of trouble.
Facebook and Apple
have both suffered at the hands of hackers, thanks to a zero-day
vulnerability in Java that led to hackers infiltrating both of the
companies' internal networks in recent weeks. While there was "no
evidence" to suggest that company or user data had been stolen, the
companies said in separate statements, it sent a shiver down the spine
of many who had invested their trust in the companies to keep their data
safe.
The root cause is reportedly one iPhone development website that
became infected with malware, which was then able to dump its malicious
payload on vulnerable machines. If those infected machines were then
connected to a corporate network, that network would likely have been
infected.
Other technology news sites have reported that the mobile development
site "iPhoneDevSDK" is the source of both Apple and Facebook's internal
network breaches, according to AllThingsD and The New York Times, which both confirmed the source of the malware.
It's absolutely vital that you do not visit this site in any way, shape, or form, as it may still contain active malware that could lead to infection.
Seriously. Do not visit this site. (Image: ZDNet)
According to AllThingsD,
which spoke to Facebook sources under the condition of anonymity, a
number of the company's employees visited the site more than a month
ago. The site, laden with malware that was injected into the website's
code, used an exploit in the Java web plugin to gain access to the
employee laptops.
This "watering hole" technique attacks a centralized website with
many visitors, and secretly attacks and infects vulnerable machines
using an unpatched exploit. This is different from a targeted attack,
such as emailing a malware-laden attachment to a certain user.
While Apple's laptops were clearly MacBook machines running the
latest (if not pre-release) version of OS X, it most certainly would not
be limited to these devices. PCs and devices running Windows would also
be at risk if they were running a vulnerable version of Java.
Facebook confirmed that the internal network breach was a result of a zero-day exploit in the Java plugin, as did Apple in a statement on Tuesday. Law-enforcement agencies were informed in both cases.
Java developer Oracle patched the vulnerability in a February 1 security update.
Twitter suffered a similar hack earlier this month,
but the microblogging company did not identify exactly what the root
cause for the breach was. It was believed at the time that it was
connected to Chinese hackers, which may have been associated with the
country's government or military. It's now looking more likely that a
Twitter employee visited the "root" infected website that led to the
company's network being hacked.
Exactly who is behind this threat is unknown. Many are looking at the
Chinese, who have been known to carry out cyberattacks on networks and
infrastructure before. In 2010, Google pulled out of China altogether, after its networks were compromised by the Chinese government.
However, sources speaking to Bloomberg
are pointing the finger in an entirely different direction. The
publication reported that "at least 40 companies", including Apple,
Facebook, and Twitter, were targeted by Eastern European hackers who
were "trying to steal company secrets".
So, now what?
Here's the troubling thing: You may not have accessed the allegedly
infected website, but have your employees? Do you run onsite iPhone
application or service development? And can you be absolutely sure that
your company, network, or individual computer has not been compromised
in some way?
Of course not. Here's what you can do. (This list is far from exhaustive, but it's a start.)
1. Remove Java immediately
The chances are that you are running Java on your machine, or, at the very least, someone on your network is.
You can either disable Java or remove it completely, thus lowering the attack vector considerably. Java has been known to contain flaw after flaw, even after numerous updates, and is commonly used by hackers to gain access to computers, devices, and networks.
Oracle released yet another update to its Java plugin on Tuesday. Apple has also released a Java patch — this can be downloaded here,
if it hasn't already appeared in your software updates window — that
should patch any vulnerabilities currently being exploited in the wild.
Run updates on your system through the Java Control Panel item on Windows, or check System Preferences on OS X.
2. Check your logs, history, browsing records
While it may not be the easiest thing to do, you may need to trawl
through your DNS logs and other browsing records to determine whether
anyone on your network — be it a single family member, or a thousand
employees — has visited this "root" infected website in the past two
months.
If at any point that website appears — again, do not visit this
website: "iPhoneDevSDK" — then there is a significant chance that
certain machines, if not others on that network, may have been infected
with malware.
3. Run a full, network-wide malware sweep
Even if nothing has shown up, run a full, network-wide malware sweep
using an up-to-date network malware or antivirus solution. If you can
set server-side IT policies to force users connecting to your network to
run an antivirus scan before connecting (such as Network Access Protection on Windows machines, for instance), this may help mitigate the spread of such malware across your network.
Vulnerable machines are those running unpatched versions of Java, particularly those not running the latest version — Java 7 (Update 15) and Java 6 (Update 41) — and the malware can infect both Mac and Windows machines.
4. Take future precautions: Virtualize and isolate risky software
Many companies rely on Java — even if many websites do not use the
plugin anymore — thus, removing it may not be an option. Patching the
software to the latest version is the best you're going to get, at least
for now, but adding an extra layer between the Java plugin and the host
machine can mitigate any network-wide malware attacks.
Java is the zero-day king, and more and more flaws will likely be
found with the software. By using a virtual machine that's not connected
to the host or the host's network (but still connected to the
internet), Java-based web applications and Java-enabled websites can be
run in an isolated and sandboxed environment, away from company files
and other machines.
Updating the software may not have prevented the attack on Facebook,
Apple, and others, but keeping it sandboxed may have lessened the risk
of any data being stolen.
8:51:00 AM
valgeo
0 σχόλια:
Post a Comment