Many companies likely affected by compromise of popular iOS developer forum

iPhoneDevSDK administrators confirm that the site was compromised and hosted a zero-day exploit in January

By Lucian Constantin, IDG News Service |  Security

"We were alerted through the press, via an AllThingsD article, which cited Facebook," he said in a message posted on the forum. "Prior to this article, we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach."

"Immediately, we were in contact with Facebook's security team, including Joe Sullivan, Facebook's Chief Security Officer, and his team, to learn what they knew," he said. "We also contacted Vanilla, our amazing forum hosts, to ensure the problem was not with their software."

The hackers managed to compromise an administrator account and used it to alter the site's files and insert malicious JavaScript into them, Sefferman said. "That JavaScript appears to have used a sophisticated, previously unknown exploit to hack into certain user's computers."

It is very likely that iPhoneDevSDK was the common gateway for the attacks against Twitter, Facebook and Apple, Sean Sullivan, a researcher at security firm F-Secure, said Wednesday via email.

Sullivan believes that while it's possible the attackers did their homework and researched in advance who visited the forum, it's also possible that they never expected to hack into Twitter, Facebook and Apple systems in particular. "In fact, that might have been their undoing -- they caught too many big fish with strong security teams," he said.

Twitter did not immediately respond to an inquiry sent Wednesday seeking confirmation that the attack against the company involved a previously unknown Java exploit hosted on iPhoneDevSDK.

The exact timeline of the attack against the Web forum is not clear, but it seems that the hackers removed the exploit on Jan. 30, Sefferman said.

Earlier this week, Sullivan said in a blog post that F-Secure obtained some samples of Mac malware uploaded to VirusTotal on Jan. 31, one day before Twitter's hack announcement, that might have been used in the attacks.

One of the samples was a backdoored SSH daemon binary that was very likely dropped by an exploit. The others were one-line Perl scripts that run at startup and open a reverse shell to a remote server, he said.

The URLs contacted by these scripts included a domain that misspelled "Apple Corp"; a domain that sounded like the name of a digital consulting company; and a domain that pretends to be a cloud storage service.

Given the audience of iPhoneDevSDK -- iOS developers -- the attack most likely targeted Mac OS users, Sullivan said Wednesday. However, some old samples of Windows malware that contact one of the same domains as the new Mac backdoors have also been identified. So the same attackers also targeted Windows users in the past, he said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question