Anatomy of a Breach

Anatomy of a Breach: The Silicon Valley Watering Hole — When Apple, Facebook, and Twitter Were All Hacked at Once

> series: anatomy_of_a_breach —— part: 050 —— targets: apple_facebook_twitter —— method: watering_hole —— exploit: java_zero_day<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2013 12 min read
data-breach watering-hole apple facebook twitter java-zero-day supply-chain series
Breach #050

They did not hack Apple. They did not hack Facebook. They hacked the website Apple and Facebook visited.

In February 2013, three of the world's most prominent technology companies — Apple, Facebook, and Twitter — disclosed in quick succession that employees' computers had been compromised by malware. The source was not a direct attack on any of the three companies but a watering hole attack: the attackers had compromised iPhoneDevSDK, a popular developer forum, and injected a Java zero-day exploit (CVE-2013-0422) into the site. When developers from Apple, Facebook, Twitter, and potentially dozens of other companies visited the forum as part of their normal work, the exploit silently installed malware on their machines.

The watering hole technique — compromising a website that your targets visit rather than attacking the targets directly — had been used by the Elderwood Group after Operation Aurora, but the Silicon Valley attack demonstrated its effectiveness at scale against some of the most security-conscious companies in the world. If Apple, Facebook, and Twitter could be compromised through a developer forum, any organisation whose employees visit third-party websites is vulnerable to the same technique.

How Watering Holes Work
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Poison the waterhole, catch every animal that drinks.

Identify What Your Targets Visit
The attackers identified that mobile developers at major tech companies regularly visited iPhoneDevSDK — a forum for iOS development discussion. Rather than crafting individual phishing emails for each target, they compromised a single website and let the targets come to them. Our <a href="/penetration-testing/red-team">red team engagements</a> include watering hole assessment — identifying the websites your employees visit that could be used as attack vectors.
Inject the Exploit
The attackers injected a Java zero-day exploit into the iPhoneDevSDK website. Any visitor with a vulnerable Java installation (which was most browsers at the time) was silently compromised. The exploit required no user interaction beyond visiting the page — a 'drive-by download' that was invisible to the victim.
Malware Installed Silently
The exploit installed malware that provided the attackers with persistent access to the victim's workstation — from there, they could access corporate networks, source code repositories, and internal communications. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> validates whether a compromised workstation can reach sensitive internal systems.
Even Tech Giants Were Vulnerable
Apple, Facebook, and Twitter are among the most technically sophisticated organisations in the world. If they were vulnerable to a watering hole attack via a Java zero-day, the question for every other organisation is not whether this could happen to them but what they would do when it does. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the monitoring that detects post-compromise activity — the malware callbacks, lateral movement, and data access that follow a successful watering hole attack.
Lessons

Patching, browser security, and network segmentation.

The Silicon Valley watering hole exploited a Java zero-day — but the broader lesson is about reducing attack surface. Java browser plugins were a persistent source of zero-day exploits throughout the early 2010s, and the best defence was to disable Java in the browser entirely (as Apple subsequently did by default). Today, the equivalent advice applies to any unnecessary browser plugin, extension, or runtime that increases the attack surface. Cyber Essentials Danzell mandates prompt patching of internet-facing software within 14 days of critical updates.

For organisations whose employees regularly visit external websites as part of their work — which is every organisation — network segmentation between developer workstations and production systems limits the blast radius of a watering hole compromise. SOC in a Box monitors for the behavioural indicators of post-exploit activity. Our web application testing and vulnerability scanning ensure your own websites cannot be used as watering holes against your partners. And UK Cyber Defence provides incident response when a watering hole attack is detected.

Watering Hole Defence

If Apple was hacked through a developer forum, what are your employees visiting?

Our <a href="/penetration-testing/red-team">red team engagements</a> assess watering hole risk. <a href="/cyber-essentials">Cyber Essentials</a> mandates patching. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects post-compromise activity. Because the websites your employees trust are the websites attackers target.

Commission a Red Team Test Next: Spamhaus DDoS
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2020

Anatomy of a Breach: 2020 Year in Review — SolarWinds, COVID-19, and the Year the Supply Chain Broke

Breach #144 and the 2020 finale. The year COVID-19 transformed the global attack surface overnight, SolarWinds rewrote the supply chain threat model, ransomware claimed its first life at Düsseldorf, Twitter proved social engineering trumps technology, Hackney Council was devastated for two years, Garmin paid $10 million, and the pandemic-fuelled explosion of remote working created new vulnerabilities faster than they could be secured. Then, on 13 December, the SolarWinds/Sunburst supply chain attack was discovered — compromising 18,000 organisations including US government agencies — the most sophisticated supply chain attack in history.

data-breach year-in-review
16 min read
Anatomy of a Breach 30 June 2020

Anatomy of a Breach: Blackbaud — The Charity Software Vendor That Exposed UK Universities, NHS Trusts, and Charities

Breach #138. In July 2020, Blackbaud — a cloud computing provider serving nonprofits, charities, and educational institutions — disclosed that ransomware attackers had accessed and exfiltrated customer data before the company detected and stopped the attack. Blackbaud controversially paid the ransom and stated it had received 'confirmation' the data had been destroyed. The breach affected hundreds of organisations worldwide — including UK institutions such as the National Trust, the University of Birmingham, De Montfort University, Young Minds charity, and multiple NHS trusts. Blackbaud later admitted that the breach was more extensive than initially disclosed.

data-breach blackbaud
13 min read
Anatomy of a Breach 31 August 2019

Anatomy of a Breach: Imperva — When the Security Vendor Protecting Your Data Was Breached

Breach #128. In August 2019, cybersecurity firm Imperva (formerly Incapsula) disclosed that a data breach had exposed customer data for its Cloud WAF product — including email addresses, hashed and salted passwords, API keys, and TLS certificates. The breach originated from a cloud migration in which an internal AWS API key was exposed. Imperva — a company whose entire business is protecting other organisations from data breaches — had been breached through the same cloud misconfiguration vulnerabilities its products were designed to prevent.

data-breach imperva
12 min read
All Posts Get in Touch