If you or someone connected to your network — a family member or an employee, for instance — visited one particular malware-ridden website in the last few months, you may be in a lot of trouble.
Facebook and Apple have both suffered at the hands of hackers, thanks to a zero-day vulnerability in Java that led to hackers infiltrating both of the companies' internal networks in recent weeks. While there was "no evidence" to suggest that company or user data had been stolen, the companies said in separate statements, it sent a shiver down the spine of many who had invested their trust in the companies to keep their data safe.
The root cause is reportedly one iPhone development website that became infected with malware, which was then able to dump its malicious payload on vulnerable machines. If those infected machines were then connected to a corporate network, that network would likely have been infected.
Other technology news sites have reported that the mobile development site "iPhoneDevSDK" is the source of both Apple and Facebook's internal network breaches, according to AllThingsD and The New York Times, which both confirmed the source of the malware.
It's absolutely vital that you do not visit this site in any way, shape, or form, as it may still contain active malware that could lead to infection.
According to AllThingsD, which spoke to Facebook sources under the condition of anonymity, a number of the company's employees visited the site more than a month ago. The site, laden with malware that was injected into the website's code, used an exploit in the Java web plugin to gain access to the employee laptops.
This "watering hole" technique attacks a centralized website with many visitors, and secretly attacks and infects vulnerable machines using an unpatched exploit. This is different from a targeted attack, such as emailing a malware-laden attachment to a certain user.
While Apple's laptops were clearly MacBook machines running the latest (if not pre-release) version of OS X, it most certainly would not be limited to these devices. PCs and devices running Windows would also be at risk if they were running a vulnerable version of Java.
Facebook confirmed that the internal network breach was a result of a zero-day exploit in the Java plugin, as did Apple in a statement on Tuesday. Law-enforcement agencies were informed in both cases.
Java developer Oracle patched the vulnerability in a February 1 security update.
Twitter suffered a similar hack earlier this month, but the microblogging company did not identify exactly what the root cause for the breach was. It was believed at the time that it was connected to Chinese hackers, which may have been associated with the country's government or military. It's now looking more likely that a Twitter employee visited the "root" infected website that led to the company's network being hacked.
Exactly who is behind this threat is unknown. Many are looking at the Chinese, who have been known to carry out cyberattacks on networks and infrastructure before. In 2010, Google pulled out of China altogether, after its networks were compromised by the Chinese government.
However, sources speaking to Bloomberg are pointing the finger in an entirely different direction. The publication reported that "at least 40 companies", including Apple, Facebook, and Twitter, were targeted by Eastern European hackers who were "trying to steal company secrets".
So, now what?
Here's the troubling thing: You may not have accessed the allegedly infected website, but have your employees? Do you run onsite iPhone application or service development? And can you be absolutely sure that your company, network, or individual computer has not been compromised in some way?
Of course not. Here's what you can do. (This list is far from exhaustive, but it's a start.)
1. Remove Java immediately
The chances are that you are running Java on your machine, or, at the very least, someone on your network is.
You can either disable Java or remove it completely, thus lowering the attack vector considerably. Java has been known to contain flaw after flaw, even after numerous updates, and is commonly used by hackers to gain access to computers, devices, and networks.
Oracle released yet another update to its Java plugin on Tuesday. Apple has also released a Java patch — this can be downloaded here, if it hasn't already appeared in your software updates window — that should patch any vulnerabilities currently being exploited in the wild.
Run updates on your system through the Java Control Panel item on Windows, or check System Preferences on OS X.
2. Check your logs, history, browsing records
While it may not be the easiest thing to do, you may need to trawl through your DNS logs and other browsing records to determine whether anyone on your network — be it a single family member, or a thousand employees — has visited this "root" infected website in the past two months.
If at any point that website appears — again, do not visit this website: "iPhoneDevSDK" — then there is a significant chance that certain machines, if not others on that network, may have been infected with malware.
3. Run a full, network-wide malware sweep
Even if nothing has shown up, run a full, network-wide malware sweep using an up-to-date network malware or antivirus solution. If you can set server-side IT policies to force users connecting to your network to run an antivirus scan before connecting (such as Network Access Protection on Windows machines, for instance), this may help mitigate the spread of such malware across your network.
Vulnerable machines are those running unpatched versions of Java, particularly those not running the latest version — Java 7 (Update 15) and Java 6 (Update 41) — and the malware can infect both Mac and Windows machines.
4. Take future precautions: Virtualize and isolate risky software
Many companies rely on Java — even if many websites do not use the plugin anymore — thus, removing it may not be an option. Patching the software to the latest version is the best you're going to get, at least for now, but adding an extra layer between the Java plugin and the host machine can mitigate any network-wide malware attacks.
Java is the zero-day king, and more and more flaws will likely be found with the software. By using a virtual machine that's not connected to the host or the host's network (but still connected to the internet), Java-based web applications and Java-enabled websites can be run in an isolated and sandboxed environment, away from company files and other machines.
Updating the software may not have prevented the attack on Facebook, Apple, and others, but keeping it sandboxed may have lessened the risk of any data being stolen.