The company disclosed to Reuters that the malware wormed its way onto users’ systems when workers visited a compromised website for iPhone app developers. The malicious code is the same bug used in the recent attack on Facebook, the company said. Also, an unnamed source at Apple told the newswire that the hit was part of the same campaign that affected Twitter on Feb. 1, possibly stealing information on about 250,000 users.
The common culprit across all three internet behemoths is a “watering hole” attack, according to a blog post by F-secure, which is in and of itself a concern with ramifications far beyond Twitter, Facebook and now Apple. “Can't hack mobile devices? Okay then, go up stream and hack mobile application developers,” the company wrote in a blog post. “At which point you can inject whatever you want into the developer's source code.”
That fact spells trouble for not just Macs, which are (falsely) reputed to be somewhat immune to malware, but the millions of mobile apps that Macs are used to create. “There are hundreds of thousands if not millions of mobile apps in the world,” F-secure pointed out. “How many of the apps' developers do you think have visited a mobile developer website recently? With a Mac… and a very false sense of security?
It added, “We'll all be very lucky if this watering hole was only really trying to target big players such as Twitter and Facebook…it really calls into question current bring your own device policies. BYOD = Bring your own destruction?”
In Apple’s case, the size and scope of the hack has not yet been determined, and Reuters reported that the King of Cupertino isn’t even sure if all of the infected machines have been identified. But, officially, Apple is downplaying the incident.
"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers,” the company said in a statement. “The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple.”
As for who’s behind the incident, that’s unclear too. The company is working with law enforcement, trying to determine whether Chinese perpetrators had a hand in this, as they allegedly have in so many hacking forays worldwide, including the New York Times. But another deep source told Reuters that, so far, no proof has materialized.
"This is a new campaign. It's not like the other ones you read about where everyone can tell it's China," the unnamed source noted.
Regardless of who’s behind it, the Apple attack and all of the others in the last few weeks and months point to a certain amount of realism that needs to come into play when determining a cyber defense. “In today’s post-prevention world, it's crucial that companies accept that successful breaches on highly fortified networks are inevitable, and the scope of targeted enterprises and organizations will only widen day by day,” cautioned John Vecchi, vice president of marketing at Solera Networks, in an email to Infosecurity.
He added, “Once attackers are past our perimeter defenses – via an advanced targeted attack – they own our network. As such, there needs to be a shift toward ‘preparedness’ and a modern, multi-layered defense. It is likely that cyberattackers are already on our networks, so we must focus on attaining the context, content and visibility needed to see and eradicate them.”