Facebook engineers compromised by Java zero-day
Facebook has confirmed that systems used by its employees were compromised in an attack which used a Java plugin zero-day exploit. The company explained that it found a suspicious domain in its DNS logs in January and traced it an employee laptop internally and a compromised web site which acted as the source. According to a report in Ars Technica the employee was one of the company's engineers.
Internal investigations discovered malware on that system and company-wide searches found "several other compromised employee laptops". All the laptops were "fully-patched and running up-to-date anti-virus software" the company says. Examining the compromised web site showed it was using a previously unseen Java vulnerability which bypassed the sandbox to allow it to install malware.
Facebook says it reported the exploit to Oracle and they received a patch on 1 February to address the issue. That is also the date on which Oracle released an emergency patch set for all Java users to fix fifty flaws, saying it had come across some of the fixed flaws being exploited in the wild and had brought the release forward from this coming Tuesday 19 February to 1 February because of that. It now seems very likely that the Facebook attack was at least one of the reports Oracle was acting upon. Facebook said it knew of other companies compromised by the same zero-day attack. Oracle has more fixes for Java in an updated version of the patches, due on Tuesday.
Further details of the attack were not given; however, Facebook did say that there was no evidence that any Facebook user data was compromised, though the attackers did gain "some limited visibility" into production systems and they were trying to "move laterally into our production environment". The attackers did harvest information from the laptops such as company emails, data and some code. The company says it is working with law enforcement and has collaborated through an informal working group with other affected companies.