Cyber criminals exploit Java vulnerability to hack Apple, Facebook, and Twitter

Two decades after computer security began generating billions by selling expertise and software designed to protect unwanted network intrusions, experts say those networks are more vulnerable than ever. Florida-based Internet security firm Team Cymru said in a report released today, shared exclusively with The Verge, that analysts there uncovered a massive overseas hacking operation that is making off with a terabyte of data per day. Some of the victims include military and academic facilities and a large search engine. The report doesn't identify who might be behind the attacks, but Team Cymru director Steve Santorelli conceded that, given the amount of resources behind the attacks, it is obvious the group is state-sponsored. "This is Internet theft on an industrial level," said Santorelli, a former detective with Scotland Yard.

The United States is under siege. Team Cymru's report follows on the heels of similarly damning research issued last week by security firm Mandiant, a document that could be read as an indictment of the entire cyber-security sector. Mandiant detailed how a group of cyber commandos employed by China has electronically raided the computer networks of hundreds of American companies over several years to pilfer precious trade secrets. In a story about the Mandiant findings, The New York Times reported that Washington now believes China also has the ability to use the internet to sabotage water supplies, shut down power stations and hobble our financial system.

If you've been paying any attention to the security breaches hitting Apple, Facebook, Twitter, NBC, and others these past few weeks, you've probably noticed a common culprit: our poor old pockmarked friend, Java.

As a web plugin, Oracle's aging code deployment platform has practically been a revolving door for widespread malware attacks recently, and for years the general consensus has often been that its risks have outgrown its usefulness. After spending a week Java-free back in 2010, PCMag's Larry Seltzer concluded that the Java platform as a whole "is pretty clearly a failure, and all that remains of it is a big fat attack surface on your computer."

The owner of iPhone developer website iPhoneDevSDK says his team has patched a security hole behind malware that infected employee computers at Facebook, making the developer site safe to visit again.

"It is clean now," said Ian Sefferman, iPhoneDevSDK's owner and operator, in an email to The Verge. Sefferman and his colleagues are still trying to figure out exactly what went wrong and how to keep their site and its 200,000 registered users secure from hackers in the future. Malware found on employee computers at Apple and Twitter also may have come from the site while it was compromised.

The recent attacks on Apple’s systems originated in Russia or Eastern Europe, and are linked to similar attacks on Facebook and Twitter, say new reports from Reuters and Bloomberg. The goal of the attacks is said to be company secrets and intellectual property to be sold on the black market, unlike the the state-sponsored attacks coming out of China, which have instead focused on government secrets and national infrastructure.

In all cases, employees’ computers were compromised after accessing the mobile developer website iphonedevsdk.com, which exploited a vulnerability in the Java browser plugin. While the precise location and nationality of the attackers is unknown, investigators have discovered at least one server in use by the criminal group in the Ukraine.

AllThingsD is reporting that the culprit behind high-profile hacks targeting Apple and Facebook is "likely" a website called iPhoneDevSDK. The site, which is a hub for iOS and mobile development discussion, was reportedly injected with malicious code according to the report. Employees at Facebook apparently visited the iPhoneDevSDK website in recent weeks, just prior to a hack that the social network made public last Friday. AllThingsD suspects the same developer resource is responsible for an intrusion that comprised "a limited number" of Apple's internal computers. An exploit affecting Oracle's Java plugin served as a gateway for attackers in both instances. A discussion thread at MacRumors suggests that iPhoneDevSDK has encountered malware issues numerous times.

Apple has released a new version of Java meant to plug a vulnerability that can be exploited to install malware on user's computers. The company made an unprecedented announcement this morning, admitting that hackers had effectively infected a "small number" of its computers after employees visited a website for software developers that contained the malicious code. Apple says it isolated those computers from its network, and promised that it would release a support tool today to patch the vulnerability. The update uninstalls Apple's Java applet plugin from all browsers, as well as the Java Preferences application, which it says is no longer needed to configure the applet's settings.

Users can obtain the Java update through Apple's support website, or by using the Software Update tool for OS X.

In a statement provided to The Verge, Apple says that hackers infected a "small number" of its computers in an attack that exploited a Java vulnerability. As Reuters originally reported, the company says "there was no evidence that any data left Apple," and no user information is said to have been compromised. Apple says the rare security breach utilized the same malware that was recently used to target Facebook and other companies. Despite being a high-profile target, the situation is highly unusual for Apple, and the company says it is working with law enforcement to track down those responsible.

"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers," the company said in its statement. "The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network."

As one of the largest sites on the internet, there's no doubt that Facebook is a prime target for hackers. It looks like some of those hackers were apparently successful — Facebook has just admitted that its systems were targeted last month in a "sophisticated attack." However, the company was quick to point out that "we have found no evidence that Facebook user data was compromised." It sounds like users have no need to worry at this point, but Facebook is continuing to work with its internal engineering teams, security teams at other companies targeted by the attack, and law enforcement officials in an effort to make sure such an attack doesn't happen again.

As for the attack itself, Facebook says that a "handful" of employees visited a mobile developer website that had been compromised — the site hosted a zero-day exploit that installed malware on those employees' laptops. The malware bypassed the Java sandbox protections; once Facebook reported the vulnerability to Oracle, the company responded with a patch on February 1st to correct the flaw. Facebook said that the laptops were all running up-to-date virus protection software and they immediately fixed the machines and notified law enforcement.