Many Watering Holes, Targets In Hacks That Netted Facebook, Twitter and Apple

The attacks that compromised computer systems at Facebook, Twitter, Apple Corp. and Microsoft were part of a wide-ranging operation that relied on many “watering hole” web sites that attracted employees from prominent firms across the U.S., The Security Ledger has learned.

Facebook Offices
The attacks on Facebook and Twitter were part of a wider operation against a wide range of targets and using multiple watering hole web sites to serve attacks.
Photo Credit: Olivier Garamfalvi / Facebook

The assailants responsible for the cyber attacks used at least two mobile application development sites as watering holes in addition to the one web site that has been disclosed: iPhoneDevSDK.com. Still other watering hole web sites used in the attack weren’t specific to mobile application developers – or even to software development. Still, they served almost identical attacks to employees of a wide range of target firms, across industries, including prominent auto manufacturers, U.S. government agencies and even a leading candy maker, according to sources with knowledge of the operation.

More than a month after the attacks came to light, many details remain under tight wraps. Contacted by The Security Ledger, the FBI declined to comment on the attacks or any investigation into their origin. However, conversations by The Security Ledger with multiple sources – including those with direct knowledge of the attack and others who had been briefed on it – have filled in some of the blanks.

Car Companies To Candy Makers – A Broad Set of Targets

In a phone and e-mail interview with The Security Ledger, Joe Sullivan, Facebook’s Chief of Security, said that the use of multiple watering hole sites and the wide spectrum of targets inside and outside the technology sector defied easy explanation. “The breadth of types of services and entities targeted does not reflect a targeted attack on a single tech or industry sector,” he said.

Rather, the wide net of watering hole web sites pulled in employees from organizations across a broad swath of the U.S. economy, say those with knowledge of the incident. That has made the operation look more like a fishing expedition than a focused operation.

“There’s nothing that’s like ‘Aha, they’re targeting this group for industrial espionage’ said one source with knowledge of the ongoing investigation.

Facebook was among the first firms to detect the security breach, which came to public attention after Twitter revealed a compromise that exposed account credentials on 250,000 users in a blog post on February 1. The social networking giant acknowledged that it was hacked in a February 15 blog post. The list of victims has since expanded to include Apple Corp. and Microsoft.

In interview to  the web site arstechnica.com, Sullivan said that the company identified the attack after a number of employees were discovered using Apple Mac laptops infected with malware. An analysis of the affected staff revealed a mobile developer web site, later identified as iPhoneDevSDK.com, as the source of the attack.

Many Watering Hole Sites Used

According to Sullivan and other sources with knowledge of the attack, however, iPhoneDevSDK.com was only one of three mobile development sites used as watering holes. The other mobile development websites include one devoted to development of applications for Google’s Android operating system.

In each case, the sites were compromised and used to serve up exploits of the same “zero day” vulnerability in Java against browsers running on both Windows and Apple Mac systems. The employees compromised in the attack were then infected with a Trojan horse program for either Mac or Windows PC, depending on their choice of operating system.

In “watering hole” style attacks, cyber criminals and sophisticated hackers work through a third party web site that is known to be frequented by individuals who are the target of the attack. The web site is compromised – often by exploiting a known vulnerability in the site – and altered to begin attacking visitors. The actual targets of the scam are attacked when they opt to visit the compromised site.

‘Pint-Sized’ Attack, Outsized Impact

Facebook’s internal investigation and parallel investigations by anti malware firms have since identified the Trojan used in the attacks was Pintsized.A, a new family of malware for Apple Mac systems that was first publicly identified in early February.

According to a February 19 analysis by Intego, Pintsized masquerades on infected systems as cupsd, a common Linux component that is used by OS X as a printing system scheduler – though the malicious process runs from the wrong directory on infected systems.

Intego said that Pintsize infections start with an exploit to get it past Gatekeeper. Once on a system, it sets up a reverse shell to the command and control server, then uses a modified version of OpenSSH 6.0p1 to creating a secure connection to encrypt the traffic in and out of the victim’s network.  The malware hides behind executable names that make it seem like Apple software and at least one command and control node operated from the (malicious) domain corp-aapl.com. That domain caught the attention of Facebook’s incident response team, and has since been directed to “sinkhole” servers managed by The Shadowserver Foundation, allowing authorities to capture command and control (C&C) communications from infected systems.

In addition to Facebook, a source with knowledge of the attack on Twitter told The Security Ledger that the Pintsized malware was served to Mac users there. The source asked to remain anonymous because he was not authorized to speak on the record about what he knew. Victims whose employees were running Windows received different, PC-based malware as part of the attack, sources said.

Watering Hole Attacks Hit Only Some Visitors

Moreover, it appears that the attacks launched from iPhoneDevSDK – and possibly other watering hole sites – weren’t indiscriminate. Rather, they may have been directed only at a small number of web site visitors from target domains.

Ian Sefferman of iPhoneDevSDK.com confirmed that the attacks served from his site only affected some visitors, and not others. Sefferman said, for example, that he was not targeted with an exploit, while other visitors to his site were.

“We’re still investigating why only certain users were affected, whether there was a pattern, and how many may have been targeted,” he said. However, he declined to provide more detail, citing the ongoing investigation.

Asked about the selection of targets to serve exploits at iPhoneDevSDK.com, Sullivan of Facebook said his company worked closely with Sefferman in the immediate aftermath of the breach, but declined to discuss what they uncovered, or to share the names of other companies targeted in the attack.

Even with that list, it is possible that the public will never know the full extent of the attack, given its sophistication, he said. “Nobody knows the whole picture,” he said. “And, in the absence of an environment where all the companies implicated are able to share all their internal details, there is little chance of the whole picture being directly assembled.”

[QUOTE]

54 Comments

  1. Pingback: Mac malware that infected Facebook bypassed OS X Gatekeeper protection | TechKudos

  2. Pingback: Mac malware that infected Facebook bypassed OS X Gatekeeper protection | Apple Product News

  3. Pingback: Mac malware that infected Facebook bypassed OS X Gatekeeper protection | iReadTech - Tech new summary | All the tech news

  4. Pingback: Mac malware that infected Facebook bypassed OS X Gatekeeper protection ← Redmondpie

  5. Pingback: #breakingnews Mac malware that infected Facebook bypassed OS X Gatekeeper protection |

  6. Pingback: Mac malware that infected Facebook bypassed OS X Gatekeeper protection | MACNATICO

  7. Pingback: :: a digital agency :: strategy : social : advertising : marketing

  8. Pingback: New details emerge about the hack on Facebook | VentureBeat

  9. Pingback: Pintsize overlooked by Gatekeeper | Mac Virus

  10. Pingback: New details emerge about the hack on Facebook | CrowdBacon – The Startup Blog

  11. Pingback: New details emerge about the hack on Facebook | 5 For Business

  12. Pingback: Last month’s hacker attack on Apple and Facebook also hit car companies, US government agencies

  13. Pingback: Many Watering Holes, Targets In Hacks That Netted Facebook, Twitter and Apple | RiskIntel

  14. Pingback: Many Watering Holes, Targets In Hacks That Netted Facebook, Twitter and Apple | InfoWar.com

  15. Pingback: Last month’s hacker attack on Apple and Facebook also hit car companies, US government agencies | 5 For Business

  16. Pingback: The Capitals™ – Capitalists' Magazine | 資本家札記 | New details emerge about the hack on Facebook

  17. Pingback: Remains of the Day: Chips and dip : My Creative Directory

  18. Pingback: Last month’s hacker attack on Apple and Facebook also hit car companies, US government agencies | PickStuff

  19. Pingback: Apple, Facebook hackers hit car and candy companies too | Gens News

  20. Pingback: Apple, Facebook hackers hit car and candy companies tooSoftware Full Version | Software Full Version

  21. Pingback: MSOSHQ - Microsoft OS News and Rumors | Last month’s hacker attack on Apple and Facebook also hit car companies, US government agencies

  22. Pingback: Apple, Facebook hackers hit car and candy companies too - ViralBanter

  23. Pingback: Ataques a Facebook y Apple fue también para el gobierno de EE.UU. | Ocio Noticias

  24. Pingback: Ataques del mes pasado a Facebook y Microsoft fueron también para el gobierno de EE.UU. | Ocio Noticias

  25. Pingback: Apple, Facebook hackers hit car and candy companies too | Technology News | CNET News | IT News

  26. Pingback: Apple, Facebook hackers hit car and candy companies too |

  27. Pingback: Remains of the Day: Chips and dip | World News - a great website based on keywordsWorld News – a great website based on keywords

  28. Pingback: Apple, Facebook hackers hit car and candy companies too | Tech TV

  29. Pingback: GNC #842 Roku Giveaway | GNC Show Notes

  30. Pingback: Apple, Facebook hackers hit car and candy companies too | Software News & Review

  31. Pingback: Anyone who feels Mac "doesn't get viruses" hasn't heard of 'Pintsized.A', a new trojan that bypasses Mac security measures | Reviews, news, tips, and tricks | dotTech

  32. Pingback: Facebook Security Officer Reveals Further Details About Recent Malware Attack | The Tech Journal

  33. Pingback: Facebook-Hacker griffen auch Autobauer an | ZDNet.de

  34. Pingback: Apple and Facebook hackers hit car and candy companies too | FirePolice News & Information

  35. Pingback: OSX Backdoor Used in Facebook Attack Snuck Past Gatekeeper | HOTforSecurity

  36. Pingback: Apps Lu » Remains of the Day: Chips and dip

  37. Pingback: Anyone who feels Mac “doesn’t get viruses” hasn’t heard of ‘Pintsized.A’, a new trojan that bypasses Mac security measures — LLODO.COM

  38. Pingback: Remains of the Day: Chips and dip | iPhone Tips

  39. Pingback: ‘Pintsized’w malware bypassed GateKeeper to affect tech companies | Gens News

  40. Pingback: Partners In Sublime Apple, Facebook hackers hit car and candy companies too - Partners In Sublime

  41. Pingback: D.C. Insider Site NationalJournal.com Serving Malware | The Security Ledger

  42. Pingback: National Journal Site Found Serving ZeroAccess Rootkit | Gens News

  43. Pingback: Java’s security problems unlikely to be resolved soon, researchers say | Old Click

  44. Pingback: Researchers: Java’s security problems unlikely to be resolved soon | Padroni

  45. Pingback: Researchers: Java’s security problems unlikely to be resolved soon

  46. Pingback: Researchers: Java’s security problems unlikely to be resolved soon » Nottingham PC Repair

  47. Pingback: Researchers: Java’s security problems unlikely to be resolved soon « Games

  48. Pingback: Researchers: Java’s security problems unlikely to be resolved soon » Kids Games

  49. Pingback: Researchers: Java’s security problems unlikely to be resolved soon | TabletPCTrend.com

  50. Pingback: Mac malware that infected Facebook bypassed OS X Gatekeeper protection | Padroni