Say you’re a “bad guy” and what you really want to do is compromise the systems of some high value targets – like software developers working a prominent, Silicon Valley firms like Facebook and Twitter.
Breaking through the front door isn’t easy – these companies mostly have the technology chops to protect their networks and employees. Phishing e-mails are also a tough sell: the developer community is heavy on Apple Mac systems and – besides – application developers might be harder to phish than your average Fortune 500 executive. A better approach might be to let your prey come to you – attacking them passively by gaining control of a trusted third party web site – a so-called “watering hole.”
That’s a scenario that has played out in a number of recent, high profile attacks, such as the so-called “VoHo” attacks documented by Symantec and RSA. It may also be the common element behind a string of targeted attacks on some of Silicon Valley’s leading companies in recent weeks, including Facebook and Twitter, according to the security firm F-Secure.
Writing on Monday, Sean Sullivan (@5ean5ullivan), a Security Advisor at F-Secure Labs, said that the company believes that mobile application developer Web sites may be the common link in attacks against Twitter and Facebook in recent weeks. The company warns that other mobile application startups and developers may also have been compromised in the watering-hole style attacks.
F-Secure said it received new malware samples over the weekend that appear to have been linked to the attacks. The samples, dated January 31st, are new malware that run on Mac operating systems. Macs are known to be favored among developers at companies like Facebook and Twitter. Together with a clue in Facebook’s February 1st post that the attacks on its employees were served from a mobile application development web site, and with Twitter’s oblique mention of “other sites” being targeted in a hack that ensnared some of its developers, the Mac malware suggests a “watering hole” style attacks aimed at cutting edge tech firms with Mac-loving mobile developers on staff. Facebook and Twitter discovered the breach, because they have millions to spend on internal security. But what about smaller fry within Silicon Valley, F-Secure wonders.
Possible doomsday scenarios? How about malicious code added to the source code of a popular mobile application (F-Secure throws out WhatsApp for good measure) pre-commit, then baked into the actual binary.
“We’ll all be very lucky if this watering hole was only really trying to target big players such as Twitter and Facebook. On the other hand, if the campaign had a broader goal of hacking as many developers as possible — it really calls into question current bring your own device policies,” F-Secure said.
While that may be scare mongering, I think its safe to say that we haven’t heard the last about compromises at top-tier social networking and mobile application web sites. Stay tuned.