Pierluigi Paganini February 19, 2013

There is no peace for enterprises, in few weaks we have discovered how much vulnerable are giants of IT, one after another, fell the most renowned names from Facebook to Twitter, companies that we considered immune from thousands of attacks they receive each day.

Until now Microsoft and Apple weren’t affected … but it’s news of these hours that the company from Cupertino has also been victim of an attack, hackers targeted some of its employees’ machines as part of the same wave of attacks against a meaningful number of companies all over the world.

Apple today confirmed to Reuters press agency that it hit by cyber attacks as part of the series of hacking campaigns that targeted US news agencies and other enterprises.

Unknown hackers have hit employee’s computers adopting same techniques implemented during the attacks to Facebook, Apple’s workers were infected when they visited a compromised website for software developers. The malware hosted on the infected website had been designed to attack Mac computers and exactly as happened during other attacks it exploited a flaw in a version of Oracle Corp’s Java software used as a plug-in on Web browsers.

The article proposed by Reuters states:

“Security firm F-Secure wrote that the attackers might have been trying to get access to the code for apps on smartphones, seeking a way to infect millions of end-users. It urged developers to check their source code for unintended changes. Apple disclosed the breach as tensions are heating up over U.S. allegations that the Chinese military engages in cyber espionage on U.S. companies.”

The situation is critic, similar attacks could expose sensitive information of millions of users, the vulnerabilities related to Java software are representing a serious problem for IT security because they are most exploited during the attacks and don’t forget the Java platform is already installed on billions of machines, finally remind also that other popular software such as Adobe Systems Flash are targeted by cyber criminals and state sponsored hackers during the attacks.

Returning to the Apple’s incident, of course also in this case the victim declared that “there was no evidence that any data left Apple”, it also confirmed that only “a small number of systems” were infected by the attack before being isolated, investigations into the breaches are ongoing.

Following the advisory published by the company:

“Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.

Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days. To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found.”

It’s not first time that Apple machines were hit by cyber attacks, last month it blocked Java from some of its Macs using its XProtect antimalware tool, fortunately Apple has immediately started the incident response procedures planning to release a security update later today.

Security experts are convinced that attacks are originate from China, just today Mandiant published an interesting report on APT1 & China’s cyber espionage units accused to be the fist information collector of foreign governments and enterprises.

The security expert Charlie Miller declared that the incident shows that attackers are investing more time studying the Mac OS X operating system, he remarked that hackers recently figured out a fairly sophisticated way to attack Macs by exploiting a flaw in Adobe Systems Flash software.

“The only thing that was making it safe before is that nobody bothered to attack it. That goes away if somebody bothers to attack it,” Miller said.

Keep up to date though our systems is an obligation for each of us but it may not be sufficient in some cases, in fact the attacks were carried out by exploiting 0-day vulnerabilities, so it is desirable to have appropriate  incident response procedure and an efficient patch management process.

Big enterprises need a “preventative approach” and is necessary to implement a layered security model to evaluate a wide range of indicators that can provide indication on the presence of an attack in progress.

Pierluigi Paganini

Update 2013/02/20

After publish disclosure of the hack Apple has provided a Java update to fix the vulnerability exploited during the attacks:

“Java for OS X 2013-001 delivers improved security, reliability, and compatibility for Java SE 6. Java for OS X 2013-001 supersedes all previous versions of Java for OS X.”

Bloomberg has published an article that introduce the hypothesis that attackers are based in Russia or Eastern Europe.

“Investigators suspect that the hackers are a criminal group based in Russia or Eastern Europe, and have tracked at least one server being used by the group to a hosting company in the Ukraine. Other evidence, including the malware used in the attack, also suggest it is the work of cyber criminals rather than state-sponsored espionage from China, two people familiar with the investigation said.”