Apple confirms being hit in recent watering hole attack
Apple has become the latest big company to confirm they’ve been affected by the watering hole attacks that resulted in the compromise of Twitter and Facebook networks, Reuters reported.
“Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers,” the company said in a statement. “The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.”
As Twitter and Facebook before them, Apple didn’t mention which website for software developers was the source of the attack, but AllThingsD reported that sources close to the Facebook hacking investigation pointed to iPhoneDevSDK, the home of iOS developer forums.
Ian Sefferman, owner and operator of the site, issued a statement saying that they’ve learned that the site was used in the attack via the press. “Prior to this article, we had no knowledge of this breach and hadn’t been contacted by Facebook, any other company, or any law enforcement about the potential breach,” he stated.
He explained that the site is targeted for attacks frequently, and because of that they switched to Vanilla Forums last year. But after getting in touch with Facebook’s security team and Vanilla, they concluded that this attack has nothing to do with their software.
“What we’ve learned is that it appears a single administrator account was compromised. The hackers used this account to modify our theme and inject JavaScript into our site. That JavaScript appears to have used a sophisticated, previously unknown exploit to hack into certain user’s computers. We’re still trying to determine the exploit’s exact timeline and details, but it appears as though it was ended (by the hacker) on January 30, 2013,” he shared, adding that they have no reason to believe user data was compromised, but have reset all user passwords just in case.
The first reaction to these breaches was that the attackers are likely Chinese, but according to Bloomberg sources, it seems that Twitter, Facebook, Apple and some 40 other companies were actually attacked by an Eastern European gang of hackers that’s after company secrets they can sell.
I wonder that the investigators haven’t made public the name of the compromised site sooner, as many developers from a myriad of companies and even independent ones visit the site daily. If the above claim proves to be true, the attackers were apparently out for all they could get and were probably not targeting only high-profile, big firms.
In the meantime, Apple has moved to protect their customers. Apart from patching several vulnerabilities that made this attack possible, the Java update for Mac pushed out on Tuesday also contains an updated Java malware removal tool that will check systems and remove the most common variants of malware.
Home users are advised to disable Java on their computer and browsers if they don’t need it, but companies that suspect that their developers might have visited the compromised site have more to do.