Apple Acknowledges Data Breach, Attacks On Employees

Apple told Reuters that its workers fell victim to an attack after visiting a website for software developers that had been infected with malicious software. The breach follows the disclosure from Facebook late last week, which acknowledged that a "handful" of its employees had their laptops infected with malware.

At the heart of the attack is a Java zero-day vulnerability, which Oracle patched in an emergency security update issued on Feb. 1. Reuters reported that Apple acknowledged that the malware had been designed to attack Mac computers.

[Related: Data Breach Threat Intelligence By The Numbers ]

Hundreds of companies, including defense contractors, had been reportedly infected with the same malicious software in attacks that targeted the Java zero-day vulnerability. Attackers use drive-by attacks to lure victims to infected websites that exploit vulnerabilities on their machine. Watering hole-style attacks are designed to be more targeted, infecting a site commonly visited by targeted individuals in an organization.

Facebook said there is no evidence that any Facebook user data was compromised. Apple did not respond to a request from CRN for comment.

It is very unlikely that the attacks on Apple were targeted or highly sophisticated, said H.D. Moore, chief security officer of vulnerability management vendor Rapid7 and chief architect of the popular Metasploit penetration testing tool. The use of a zero-day vulnerability could simply mean that it was an undisclosed flaw that was shared between financially motivated cybercriminals, Moore said.

More called Apple's acknowledgement of a breach "ironic for a company that has done a really poor job of patching Java on OSx systems." The Flashback Trojan, which targeted a Java vulnerability on Apple systems in 2012, prompted some security experts to criticize the software maker for taking too long to patch Java on its Macs.

"We're not sure really what happened at this point," Moore said. "I see this as nothing interesting; it's yet another drive-by attack out there looking for targets of opportunity."

Moore said the attackers got lucky finding a vulnerable developer website and setting it up as an attack platform to infect a large number of individuals who could have access to more sensitive systems.

"Going after app developers can yield a much higher ratio of downstream targets," Moore said. "Compromising a developer's machine potentially gives you access to a lot of corporate networks."

Facebook said the attackers exploited a Java zero-day vulnerability, bypassing the sandbox built-in security restrictions to install the malware. The company detected the intrusion after it found a suspicious domain in its DNS logs. An incident response team traced it to an employee laptop, and further investigation found the same malware on other employee laptops.

There have been a string of high-profile data breach disclosures in recent weeks. Twitter reset thousands of passwords of some of its earliest adopters following malware detected on its systems. The New York Times revealed in January that sophisticated attacks targeted its journalists.

PUBLISHED FEB. 19, 2013