Apple hacked by same group that attacked Facebook

Apple hacked by same group that attacked Facebook

Summary: The iPhone and iPad maker said today that it is working with law enforcement to identify the hackers that breached its internal network. The same Java exploit that was used to attack Facebook was also to blame for allowing the hackers in to Apple's network.

SHARE:
TOPICS: Apple
83
apple-ipad-setup-4646

The same group of hackers that attacked Facebook last month also successfully attacked Apple, the company revealed today.

The Cupertino, Calif.-based technology giant told the Reuters news agency that while its networks were successfully breached, there was "no evidence that any data left Apple."

It's almost exactly the same wording used by Facebook last week when it disclosed it had also been hacked.

A small number of the company's employees Mac computers were hit by the hack, which exploited a vulnerability in the Java Web plug-in. 

A Java malware removal tool will be issued to OS X users later today that will prevent other Mac owners from being attacked in the same way.

Facebook suffered a breach to its internal network last month by hackers, but no data was taken, the company said. The hackers used the same active Java zero-day exploit to attack the company's network. Facebook's dedicated security team noted a suspicious domain in its corporate domain name (DNS) logs, which was traced to an employee's laptop. Numerous other laptops were compromised, cleaned and disinfected from malware.

Oracle, the developer of Java software, subsequently patched the exploit in a February 1 security fix.

In the past few weeks, a spate of semi-successful hacking attempts at Western companies by Chinese hacking groups—state sponsored or otherwise, it remains unclear—from The New York Times to The Wall Street Journal.

Apple did not comment further on the hack, but the firm said in a statement sent to our sister site CNET:

Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.

Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days. To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found.

Topic: Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

83 comments
Log in or register to join the discussion
  • Now comes the difficult decision

    Do our resident apple fanboys admit:
    1. apple uses Windows
    2. if you use os x and safari, you will be hit by 0 user interaction web drive by malware

    Results at 11.
    toddbottom3
    • who cares?

      'Developers' is the key word here and let's not forget whose obsession that is :)
      danbi
  • I Know That The Current 'High Score' Is 6.1; But,

    let's give this one a '7'!

    Nothing More Secure Than Apple! LOL!
    Mujibahr
  • Scary to be an os x user

    If apple can't even use os x securely, you have no chance.
    toddbottom3
    • It's a Java issue..

      So anything running that version of java can be exploited.
      Johnpford
      • So?

        Computers run by apple, using os x, were hacked using drive by malware with 0 end user interaction.

        I repeat: if apple can't even use os x securely, you have no chance.
        toddbottom3
        • you know this because...

          You work for apple on OS X and you were infected without running any code?
          danbi
          • I know this because I read

            It looks like it is a drive by on an iphonedevsdk site.

            http://thenextweb.com/apple/2013/02/19/facebook-apple-employees-visited-iphonedevsdk-where-their-computers-were-compromised-by-java-exploit/

            "Absolutely, positively do not visit this site, at all. If you do, you run the risk of being infected"

            If this were social engineering, the warning wouldn't be so strong.

            I could be wrong but I'm quite confident I'm right. How confident are you that this is pure social engineering?
            toddbottom3
          • social engineering

            Did I ever mention social engineering? Read my other posts here, for what I had to say. I have some clue for what developers use java, you apparently not.

            In particular, no normal computer user, who switched to Mac for better security ever visits a site like this. Not that they might not be infected by visiting another malicious sites, but let's stick to facts,not speculation.
            danbi
          • Ah, you weren't clear

            Your comments appeared to dispute my claim that this was 0 user interaction. You were NOT disputing that this was a 0 user interaction drive by attack (something we were PROMISED was impossible on os x and that only trojans worked - yet another lie from the apple faithful).

            It would appear you were disputing this:
            "I repeat: if apple can't even use os x securely, you have no chance."

            Well, you heard it here folks. Only os x developers can ever get infected using os x because they are the only ones with Java who visit sites on the internet.

            And Windows people get accused of relying on security by obscurity?

            os x is swiss cheese. It is so bad that not even apple can plug the holes for their own employees. If apple can't keep their employees safe, there is no way you can keep yourself safe. You aren't smarter than apple.
            toddbottom3
          • I don't know the term

            That is, what doctors call your condition.

            But even if someone (wasn't me) promised you OS X can be infected with a virus, I bet that same person did not promise you java can't be infected. So give this fact, I just don't understand your persistence to prove things that are just not here.

            But, it seems you can't stop. So, go toddy, go!
            danbi
      • The score so far

        We have Linux embarrassed by kernel.org, linuxfoundation.org and *several* other sites thoroughly *compromised* and infected with rootkits. The very sites run and administered by the Linux experts and developers.

        We have Apples corporate network breached by multiple computers infected with worms, systems compromised and under the control of attackers. In addition to macs infecting the networks of Twitter and Facebook.

        What a joke Linux and OS X security has turned out to be.

        Windows is battle-hardened, has sandboxing that actually works and prevents infections, has anti-exploit mitigations such as ASLR+DEP that are actually effective (and not pseudo-ASLR vulnerable to ROP like on Linux and OS X).

        Windows experiences fewer vulnerabilities than both Linux and OS X, and Windows is patched faster than both.
        honeymonster
        • we also have

          Microsoft's own code signing certificates (that let any windows run any code without ever telling the user it's happening)... Stolen.

          What else? :)

          If you don't have a clue you don't connect general purpose computers to networks. This is by the way, one of the reasons the so called 'desktop' is dead. The users expect too much 'convenience' that always comes at the cost of security. You either learn or get infected.
          danbi
          • We also have os x completely destroyed by a drive by

            0 user interaction.

            os x security epic fail.

            Don't forget it, this one is about os x security utterly failing. Even worse, os x security failed even when apple themselves were the ones who set it up. If apple can't secure their own os x machines, you have no chance.
            toddbottom3
          • You seem to have it in for Apple

            I'm no computer expert, so don't really know what this is all about. Perhaps you could enlighten me to the pros and cons of Apple, Windows, Linux Chrome etc. please make it clear for me to understand and aso not just negative on Apple, as there must be problems with the others.
            marcandsebe
          • False

            >>>Microsoft's own code signing certificates (that let any windows run any code without ever telling the user it's happening)... Stolen.

            Nope. False on both claims.
            1) No certificate was stolen. A vulnerability combined with a rather sophisticated crypto attack (involving considerable computing power) allowed an attacker to create a fake certificate.
            2) The certificate did not allow an attacker to run any code. He first had to get in. The certificates required for drivers in Windows offer a security level *not* *available* on competing OSes.

            The vulnerability allowed an attacker for a limited time (until the vulnerability was patched) to bypass an *additional* security level which would have been there on OS X or Linux.

            In no way is this comparable to a network breach of the vendors own corporate network.

            Nice try, though.


            kernel.org, linuxfoundation.org and more compromised and running a rootkit for the better part of a month. kernel.org is where all sourcecode for Linux is being coordinated. Compromise only discovered by accident. Attack was un-sophisticated and the attacker apparently didn't know he had pwned the crown jewels of Linux. The best Linux brains in the world was pwned by a script kiddie!

            OSX computers at Apple(!!!), Twitter, Facebook and many others *compromised* and under the control of attackers who managed to set up DNS zones inside the networks! Smug Apple types eating crow and trying to dump their embarrassment on Oracle. The "most advanced OS in the World" should have protected the system. Where was the sandbox? where was the AV software which should have prevented this? (A: sandbox MIA, AV woefully ineffective).

            I'm a (Windows) PC!
            honeymonster
          • not my case

            Apparently, you know of a different compromise at Microsoft. There are apparently many, you are excused of missing that bad one.
            The certificates were stolen from Microsoft's internal network and yes, code has been run on many computers.

            By the way, plenty of non-Microsoft platforms employ code signing. Just FYI.

            You can worship your tech company. I worship none.
            danbi
          • Don't ask danbi to back up his claim

            He will just tell you that it is your responsibility to prove the things he has written.
            toddbottom3
          • Back up your claim, please

            (apologies to toddbottom3)

            danbi, You cannot be this stupid. If you knew *anything* about digital security certificates you would know that the private key of a central certificate is *always* stored in a HSM.

            That's HSM == Hardware Security Module. It is a FIPS certified hardware appliance which *guarantees* (!!) that the private key cannot ever leave the module (except when transmitted in encrypted form to peer HSMs).

            Even the most privileged administrator of such a box cannot extract the private key. If the CEO brings in the lawyers or if a prosecutor brings in the feds they can *still* not extract the key. The HSM is tamper proof. The chips are welded in epoxy. If you try to drill into the unit, vibration sensorsand/or light sensors will fire and cause the unit to self-wipe. If you move the unit G sensors and GPS location will fire and cause the unit to wipe itself. If you pull the power the battery backup will kick in. If you pull the batteries the unit will lock up hard.

            In short: You are lying. There has never been a single incident where a root key or central key was compromised. Not from Microsoft nor anyone else.

            Sure, some of the SSL digital cert providers have been compromised. Even RSA had a break-in (Unix systems). But a master key has never been stolen.
            honeymonster
          • oh my

            I know enough about digital certificates to know that you have no clue what you talk about.

            Yes, you can store the private key of a certificate in a HSM, but in no way you are forced to.. So what is your point?

            But, even if you store the private key of your root certificate in an HSM, if I know your access credentials, I will ask your HSM to sign an intermediate certificate for me. It will happily do so (because if it cannot do it, it's pretty much useless piece of junk) and I will have certificate that your end system will ultimately trust. Because it is signed by you. The private key of that certificate can sit anywhere, nobody cares.

            The security incident I talk about, when Microsoft's internal network (where these cents are processed) happened exactly that way. Nobody ever cared to steal any private keys.

            Of course, you can revoke root certificates. But for the purpose of which they are used in Windows (to let Microsoft anti-theft code to run undetected), the only way is to re-install the OS. And, lots and lots of Windows users don't update their systems for one reason or another. Yet more absurd, those certificate updates are marked non-critical in Windows Update.

            Unfortunately, the whole PKI concept is utterly flawed, but most people don't realize it and some who do... just cannot refuse the money.

            Like I said, I know about digital certificates more than I deserve. Ignorance is bliss. Unfortunately, not everyone has the chance.
            danbi