The attack was triggered when a small number of Facebook employees visited a mobile developer website's Web forum that was compromised and secretly hosting a zero-day Java exploit. The exploit managed to bypass all security defenses (the Java sandbox, up-to-date AV, and the fully-patched OS) and install malware on those employees' laptops.
"As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day," the company shared on its Security page, adding that they have "found no evidence that Facebook user data was compromised."
"Facebook Security has a team dedicated to tracking threats and monitoring our infrastructure for attacks at all times. In this particular instance, we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop. Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops," they explained.
This led them to discover the compromised website from which the attack was mounted. They informed Oracle about the existence of the zero-day exploit, and they rushed out an emergency Java patch on February 1.
They also say that Facebook was not the only target in this attack, but that they were one of the first to discover the malware and analyze it. According to Ars Technica, Facebook worked with a third party to discover the C&C server that the malware was sending information to, sinkhole it and analyze the incoming traffic.
That was how they discovered that the attack targeted also other companies, whom they immediately appraised of the situation. According to Facebook CSO Joe Sullivan, their investigation showed that the attackers were trying to move laterally into their production environment, and they did manage to gain some visibility into production systems - software code, corporate data, and such.
Facebook didn't mention which other companies were attacked, but Twitter confirmed a hack that compromised 250,000 of their users' accounts only a day after the emergency Java patch was released. It is widely speculated that Twitter was among the ones that were hit, especially because Bob Lord, Twitter Director of Information Security, advised users to Java in their browsers.
"Criminals will no longer attack your systems directly but use various techniques to indirectly compromise your systems. In this case it was a waterhole attack where exploits are planted on a compromised website known to be visited by the desired target," commented Brian Honan, founder of BH Consulting and head of IRISSCERT.
He also pointed out that having fully-patched systems and up-to-date AV software is important, but not full-proof - additional protection is needed.
"Criminals will target certain group within your organization due to the access they may have to certain data or systems. In many organizations we’ve worked with IT always have elevated privileges and admin rights to their computers. This makes them an ideal target group for criminals. I do not think it is a coincidence in this case that the criminals compromised a server for mobile developers," he shared, adding that log monitoring and management, as well as a good forensic investigation, are crucial to discovering attacks early and understanding them well in order to shore up defenses to block future attempts.