NEWS FROM THE LAB - Wednesday, February 20, 2013

Timeline: Hacks Related to Apple Posted by Sean @ 12:20 GMT

The hacks related to Apple involve a lot of complexities. Let's review the time line:

February 1st: Twitter's Director of Information Security, Bob Lord, posted "Keeping our users secure" on Twitter's blog. On a Friday. The weekend of the NFL's Super Bowl. Lord explained that Twitter had been hacked, and that 250,000 accounts have had their passwords reset as a result. Lord advised people to disable Java's browser plugin.

February 1st: The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) issues Alert (TA13-032A) warning of multiple vulnerabilities in Oracle Java.

February 1st: Oracle releases a critical patch update for Java (JRE 7 Update 11 and earlier).

February 4th: Monday. We asked contacts at Apple: Based on Lord's post, we suspect a Mac payload, do you have any samples that you are allowed to share with us? The reply: "Twitter has not shared any samples with us."

February 4th: our post "What is Java technology and why do I need it?" speculated that a Twitter developer's Mac had been compromised via Java's browser plugin, and also noted with interest that Apple's XProtect was blocking Java 7 Update 11 (and earlier).

February 5th: US-CERT updates its alert.

February 7th: Oracle releases a critical patch update for Java (JRE 7 Update 11 and earlier) ahead of schedule because of "active exploitation in the wild" of one of the vulnerabilities addressed.

February 7th: Adobe published a security bulletin for Adobe Flash Player. From the bulletin: "Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform…".

Adobe APSB13-04, Firefox and Safari for Mac

Tip: You can download Google Chrome for Mac here.

February 8th: our post "Update: Flash Player Exploit Targeting Macs and Windows" notes that Lockheed Martin CIRT contributed to Adobe's investigations.

February 8th: the folks at AlienVault Labs post "Adobe patches two vulnerabilities being exploited in the wild" and provides analysis of "2013 IEEE Aerospace Conference schedule", one of the Windows-based attacks exploiting Flash Player's vulnerability.

February 12th: Adobe releases its security update for Flash Player.

Tip: Check your version(s) of Flash Player here.

February 15th: Facebook's security team posted "Protecting People On Facebook" on its Page. On a Friday. Just before a three-day weekend in the United States. The security team explained that some Facebook employee "laptops" have been hacked via a Java exploit.

February 15th: Joe Sullivan, Facebook's Chief Security Officer, is interviewed by Sean Gallagher of Ars Technica. Sullivan said that C&C servers related to the attack are sinkholed by a third-party and traffic indicates several other companies have been affected.

February 15th: Mac samples (bookdoors) are shared with an AV mailing list.

February 18th: our Helsinki-based Mac analyst, Brod, examines the bookdoors. We quickly determine that all of the related C&C's are sinkholed by The Shadowserver Foundation. Other recent Mac backdoors, targeting Uyghur people, have not been sinkholed in this manner. To us, this indicates that the backdoors are part of a law enforcement investigation. Knowing that Chief Security Officer Joe Sullivan is a former U.S. Attorney (federal prosecutor), we suspect a connection to Facebook.

February 18th: our post "Facebook Hacked, Mobile Dev Watering Holes, and Mac Malware" connected several of the dots, and notes Facebook's statement that the source of the attack was a compromised website for mobile application developers.

February 19th: Reuters breaks the news that Apple employees were also hacked via a Java exploit. According to Reuters, "a person briefed on the case said that hundreds of companies, including defense contractors, had been infected with the same malicious software."

February 19th: Mike Isaac at AllThingsD reports iPhoneDevSDK is the compromised mobile developer website.

February 19th: Oracle releases a "special" critical patch update for Java (JRE 7 Update 13 and earlier) which includes all of the fixes from February 1st, " plus an additional five fixes which had been previously planned for delivery."

February 19th: Apple releases a security update which includes a malware removal tool.

February 20th: Ian Sefferman, an administrator at iPhoneDevSDK writes that prior AllThingsD's article, "we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach."

iPhoneDevSDK Compromised
Click image to embiggen.

February 20th: Bloomberg reports sources suggest the attack on Apple came from Eastern Europe.

Open Questions

Q: Adobe reported in the wild attacks on websites targeting Flash. Those attacks appear to be targeting defense contractors. Where are those watering holes located?

Q: How many companies were affected?

Q: How many unique connections have been made to Shadowserver's sinkhole?

Q: How long has this type of thing been going on? Apple began removing old versions of Java from Macs when people updated OS X in October 2012. Was that a proactive… or reactive decision? How many times has Apple been compromised?


Macs have something like a 15% market share in the real-world. Such market share equals a relatively low motivation for bad guys to develop bulk commoditized "malware as a service" which targets average Mac owning consumers. Folks who use Macs for home are as relatively secure today as they were yesterday, and as such, they probably have a reasonable sense of security.

But in the "developer world", Macs have a much higher percentage of market share. (In Silicon Valley we'd guesstimate it's probably the inverse of the real-world: 85%.) As such, there is relatively high motivation for bad guys to develop "sophisticated" attacks that incorporate Mac-based payloads. Folks who use their Macs for work should not have the same sense of security as home users. Clearly, work-based Macs are more of a target and expectations of security should scale to match the threat level.

Developers assuming a "15%" motivation of attack — aren't paranoid enough — and are operating with a false sense of security. It's time for businesses and organizations to reassess.

At the very least, developers and other professionals should segment work (with access to production back ends) and play into separate virtual machines if not separate hardware.

Edited: Added the February 19th link to Apple's update.