The administrators of a popular iOS developer Web forum called iPhoneDevSDK confirmed Wednesday that it had been compromised by hackers who used it to launch attacks against its users. Security experts believe the site served as a gateway for the recent attacks against Twitter, Facebook and Apple employees and that many other companies might be affected as well.
At the beginning of February, Twitter announced that it had been the target of an attack and that hackers might have accessed authentication data on 250,000 users.
"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Twitter said at the time. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."
Twitter did not reveal many details about the attack, but encouraged users to disable Java in their browsers, suggesting that the attack might have involved a Java vulnerability.
On Friday, Facebook revealed that its employees were also targeted in a sophisticated attack last month. "This attack occurred when a handful of employees visited a mobile developer website that was compromised," the company said in a blog post at the time. "The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops."
The company said that the exploit used a zero-day -- a previously unknown -- vulnerability in Java that was immediately reported to Oracle and patched in an emergency Java update on Feb. 1.
"Facebook was not alone in this attack," the company said at the time. "It is clear that others were attacked and infiltrated recently as well."
On Tuesday, Apple announced that a small number of the company's systems had been compromised and infected with malware. The attack involved an exploit for a vulnerability in the Java browser plug-in that was served from a website for software developers, the company said.
Later on Tuesday, citing an unnamed source close to Facebook's investigation into the attack, AllThingsD reported that the compromised website was likely iPhoneDevSDK.com, a community forum for iOS developers.
Ian Sefferman, one of the iPhoneDevSDK administrators confirmed Wednesday that the website had been compromised, but said that he learned about it from the press and not the affected companies.
"We were alerted through the press, via an AllThingsD article, which cited Facebook," he said in a message posted on the forum. "Prior to this article, we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach."
"Immediately, we were in contact with Facebook's security team, including Joe Sullivan, Facebook's Chief Security Officer, and his team, to learn what they knew," he said. "We also contacted Vanilla, our amazing forum hosts, to ensure the problem was not with their software."
The hackers managed to compromise an administrator account and used it to alter the site's files and insert malicious JavaScript into them, Sefferman said. "That JavaScript appears to have used a sophisticated, previously unknown exploit to hack into certain user's computers."
It is very likely that iPhoneDevSDK was the common gateway for the attacks against Twitter, Facebook and Apple, Sean Sullivan, a researcher at security firm F-Secure, said Wednesday via email.
Sullivan believes that while it's possible the attackers did their homework and researched in advance who visited the forum, it's also possible that they never expected to hack into Twitter, Facebook and Apple systems in particular. "In fact, that might have been their undoing -- they caught too many big fish with strong security teams," he said.
Twitter did not immediately respond to an inquiry sent Wednesday seeking confirmation that the attack against the company involved a previously unknown Java exploit hosted on iPhoneDevSDK.
The exact timeline of the attack against the Web forum is not clear, but it seems that the hackers removed the exploit on Jan. 30, Sefferman said.
Earlier this week, Sullivan said in a blog post that F-Secure obtained some samples of Mac malware uploaded to VirusTotal on Jan. 31, one day before Twitter's hack announcement, that might have been used in the attacks.
One of the samples was a backdoored SSH daemon binary that was very likely dropped by an exploit. The others were one-line Perl scripts that run at startup and open a reverse shell to a remote server, he said.
The URLs contacted by these scripts included a domain that misspelled "Apple Corp"; a domain that sounded like the name of a digital consulting company; and a domain that pretends to be a cloud storage service.
Given the audience of iPhoneDevSDK -- iOS developers -- the attack most likely targeted Mac OS users, Sullivan said Wednesday. However, some old samples of Windows malware that contact one of the same domains as the new Mac backdoors have also been identified. So the same attackers also targeted Windows users in the past, he said.
This type of attack that involves infecting a website frequently visited by a targeted group of people -- for instance, employees of companies in a certain industry, political and human rights activists supporting a certain cause -- is referred to in the security community as a "watering hole" attack, because the method resembles the hunting habits of predatory animals who wait near pools of water for prey to come and drink.
Sefferman described iPhoneDevSDK as "the most widely read dedicated iOS developer forum." The site does not publicly list the exact number of registered users, but it has sub-forums dedicated to certain topics that have tens or hundreds of thousands of replies.
Sullivan believes that, given the popularity of iPhoneDevSDK, many other companies were probably affected by this attack as well, but have yet to come forward or even discover the malware on their employees' systems.
Companies who develop iOS apps should probably ask their employees if they visited iPhoneDevSDK in recent months and should analyze their work computers for malware.
