Yesterday the news was that Apple Inc. was yet another victim of a widespread watering-hole style attack on prominent firms, including Facebook and (probably) Twitter. But that list of victims will almost certainly rise, as more information about the watering hole web site and the extent of the breach become public.
First, what we know: Twitter, Facebook and now Apple have all made announcements in the last week about security breaches at their organizations that involved staff computers being infected with malware. Twitter was the first company to go public with the information on February 2nd. But the company said at the time that other firms were likely to have been breached, also.
Facebook followed suit, announcing that its employees, also, were targeted in the attack. According to Facebook’s Chief Security Officer, Joe Sullivan, the company’s employees were compromised using a previously unknown (zero day) Java vulnerability after visiting a compromised web site that was used as a “watering hole” – a staging ground for an attack targeted at those likely to visit the site.
At the time Facebook said that its analysis of the attack turned up evidence of other, compromised companies and that it had notified them of the finding, and also notified law enforcement. The announcement, Tuesday, from Apple gives us information on at least one of those other victims.
But will there be others? The answer is almost certainly ‘yes.’ For one thing: Facebook’s CSO all but confirmed that the watering hole web site – a mobile application developer resource – was popular and that the list of compromised companies was a long one. Any mobile developer who visited that site with browser that had Java enabled was likely attacked and had malware implanted on their system – Windows or Mac.
“It’s the type of forum that anyone who was building apps for mobile devices would visit,” Facebook’s Sullivan told AllThingsD. “It’s pretty popular for sharing tips, tricks, etc.” The question isn’t who’s been hacked, but who is sophisticated enough to discover the hack that’s already taken place, AllThingsD says.
That report also names the site involved, though notably without any attribution. As more information becomes public about the site that was compromised, the malware used and how long the compromise lasted, its likely that we’ll be hearing more companies disclosing compromises linked to their employees, as well.