Is Facebook's hacker alert system linked to Russian Flash Player threat?

As Adobe rolled out an update to fix a bug being exploited by elite Russian hackers, Facebook kicked off a system to notify its users when they've been targeted by state-backed hackers. Are the two linked?

Facebook's CSO Alex Stamos announced on Facebook this Saturday that the social network had launched a system to alert its users the next time a state-sponsored hacker is lurking on their PC.

"Starting today, we will notify you if we believe your account has been targeted or compromised by an attacker suspected of working on behalf of a nation-state," wrote Stamos.

Facebook won't divulge how it knows when a particular attack appears to be from a state-sponsored hacking group.

Stamos also doesn't explain why Facebook is launching this warning now, beyond the fact that state-backed attacks are more "advanced and dangerous" than the ones that want users' online banking or Gmail credentials.

“We decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored. We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts,” wrote Stamos..

While the Facebook effort is noteworthy on its own, previous comments by Stamos and Facebook's acknowledgement that its revenues depend on browsers enabling Flash, add an interesting twist to the social network's initiative; Stamos announced the new state-sponsored hacker alerts a day after Adobe patched a Flash Player bug that was used exclusively by an elite Russian hacking group to spy on foreign diplomats.

Flaws in software are commonplace but privately-held bugs, otherwise known as zero-day flaws, are highly valued, particularly when they concern widely-used software such as Oracle's Java, Adobe's Flash Player or Microsoft Office products.

Adobe patched one flaw in this class on Friday in an update for Flash Player that addressed the bug (CVE-2015-7645) which has, for several months, been used by ‘Pawn Storm’ -- a hacking group linked to the Kremlin and has used zero-days to hack PCs at NATO and US-allied targets. Security firm FireEye calls the group ‘APT28’ and has blamed it for a devastating attack on a French TV network earlier this year.

The group was using the bug to target several foreign affairs offices, security firm Trend Micro reported last week.

The Friday patch from Adobe is the first fix for Flash Player that addressed a zero-day bug in the wild since Italian surveillance software vendor Hacking Team was hacked and details about three zero-day flaws for Flash were leaked in July.

Following the leak, Hacking Team’s work on Flash was quickly integrated software that enabled mass, automated hacking via popular news websites. At the time, Stamos called on Adobe to kill off Flash Player due to recurring security bugs.

While sunsetting Flash might improve end-user security, Facebook later revealed what it meant to the company, warning investors that a repeat of the July Flash flaw -- which caused Google and Mozilla to block Flash outright -- could harm Facebook future revenues. That's because games developers still rely on the Flash runtime for in-browser gaming.

"In July 2015, certain vulnerabilities discovered in Flash led to temporary interruption of support for Flash by popular web browsers," the company wrote. "If similar interruptions occur in the future and disrupt our ability to provide social games to some or all of our users, our ability to generate Payments revenue would be harmed.”

Fortunately for Facebook, Adobe on this occasion patched the bug last Friday, beating the Flash maker's own expectations of delivering the fix the following week and more importantly, potential blocks on Flash in Chrome and Firefox.

Windows and Mac users who have updated to Flash version released on Friday will no longer be vulnerable to the exploit, which could in coming days or weeks be integrated with exploit kits. The Flash Player plugins for Chrome, Edge and Internet Explorer 10 and 11 for Windows 8.1 were automatically updated.

Trend Micro noted on Friday that the latest Pawn Storm attack undermined several techniques developed by Adobe and Google’s Project Zero hackers to thwart Flash exploitation methods used in two of the Hacking Team’s leaked Flash zero-days.

Read more: Why digital workplaces are casting ‘shadows’ on IT

“Once these mitigations were put in place, the exploits in the wild decreased, but they did not completely disappear. This latest vulnerability is the first zero-day exploit discovered in the wild after these mitigations were added,” wrote Peter Pi, the Trend Micro threat analyst credited with reporting the new Flash bug Adobe.

Pi noted that one of the mitigations aimed at reducing attacks that exploit “Vector.<*>” — or Vector length corruptions — which can be used to remotely execute code in browser processes as well as for bypassing anti-exploitation techniques such as data exploitation prevention (DEP), address space layout randomisation (ASLR) and Microsoft’s EMET technology.

Pi said the newest exploit demonstrated that Adobe needed to widen protection to other objects that have the “length” property besides Vector, such as the ByteArray length.

As for Pawn Storm/APT28, Trend Micro has previously linked the group to attacks on US and allied military, government and media organisations as well as critics of the Kremlin critics and Ukrainian military and activists. In July, the firm discovered the group using the first Java zero-day exploit discovered in two years.

Read more: ​Microsoft opens limited bug bounty for CoreCLR and ASP.NET 5 betas

Security firm FireEye in June said cyber attacks that knocked French TV station TV5Monde off air for several hours earlier this year were very likely the work of Pawn Storm/APT28. Information about the attack was posted on a “Cyber Caliphate” branded site, leading to the belief that ISIS-affiliated hackers were responsible.

FireEye however found the site was hosted on a block of IP addresses used by APT28, Reuters reported at the time. It also said the malware used in the attack had been coded on a Cyrillic keyboard during times of day that lined up with working hours in Moscow and St Petersburg.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.

Join the CSO newsletter!

Error: Please check your email address.

Tags CVE-2015-7645Peter PichromeAlex StamosCSO AustraliaFacebookRussian Flash Playerdata exploitation prevention (DEP)Firefoxtrend microAddress Space Layout Randomisation (ASLR)Pawn Storm attackadobe

More about CSOFacebookFireEyeGoogleMicrosoftMozillaNATOOracleTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts