Is Facebook's hacker alert system linked to Russian Flash Player threat?

As Adobe rolled out an update to fix a bug being exploited by elite Russian hackers, Facebook kicked off a system to notify its users when they've been targeted by state-backed hackers. Are the two linked?

Facebook's CSO Alex Stamos announced on Facebook this Saturday that the social network had launched a system to alert its users the next time a state-sponsored hacker is lurking on their PC.

"Starting today, we will notify you if we believe your account has been targeted or compromised by an attacker suspected of working on behalf of a nation-state," wrote Stamos.

Facebook won't divulge how it knows when a particular attack appears to be from a state-sponsored hacking group.

Stamos also doesn't explain why Facebook is launching this warning now, beyond the fact that state-backed attacks are more "advanced and dangerous" than the ones that want users' online banking or Gmail credentials.

“We decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored. We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts,” wrote Stamos..

While the Facebook effort is noteworthy on its own, previous comments by Stamos and Facebook's acknowledgement that its revenues depend on browsers enabling Flash, add an interesting twist to the social network's initiative; Stamos announced the new state-sponsored hacker alerts a day after Adobe patched a Flash Player bug that was used exclusively by an elite Russian hacking group to spy on foreign diplomats.

Flaws in software are commonplace but privately-held bugs, otherwise known as zero-day flaws, are highly valued, particularly when they concern widely-used software such as Oracle's Java, Adobe's Flash Player or Microsoft Office products.

Adobe patched one flaw in this class on Friday in an update for Flash Player that addressed the bug (CVE-2015-7645) which has, for several months, been used by ‘Pawn Storm’ -- a hacking group linked to the Kremlin and has used zero-days to hack PCs at NATO and US-allied targets. Security firm FireEye calls the group ‘APT28’ and has blamed it for a devastating attack on a French TV network earlier this year.

The group was using the bug to target several foreign affairs offices, security firm Trend Micro reported last week.

The Friday patch from Adobe is the first fix for Flash Player that addressed a zero-day bug in the wild since Italian surveillance software vendor Hacking Team was hacked and details about three zero-day flaws for Flash were leaked in July.

Following the leak, Hacking Team’s work on Flash was quickly integrated software that enabled mass, automated hacking via popular news websites. At the time, Stamos called on Adobe to kill off Flash Player due to recurring security bugs.

While sunsetting Flash might improve end-user security, Facebook later revealed what it meant to the company, warning investors that a repeat of the July Flash flaw -- which caused Google and Mozilla to block Flash outright -- could harm Facebook future revenues. That's because games developers still rely on the Flash runtime for in-browser gaming.

"In July 2015, certain vulnerabilities discovered in Flash led to temporary interruption of support for Flash by popular web browsers," the company wrote. "If similar interruptions occur in the future and disrupt our ability to provide social games to some or all of our users, our ability to generate Payments revenue would be harmed.”

Fortunately for Facebook, Adobe on this occasion patched the bug last Friday, beating the Flash maker's own expectations of delivering the fix the following week and more importantly, potential blocks on Flash in Chrome and Firefox.

Windows and Mac users who have updated to Flash version 19.0.0.226 released on Friday will no longer be vulnerable to the exploit, which could in coming days or weeks be integrated with exploit kits. The Flash Player plugins for Chrome, Edge and Internet Explorer 10 and 11 for Windows 8.1 were automatically updated.

Trend Micro noted on Friday that the latest Pawn Storm attack undermined several techniques developed by Adobe and Google’s Project Zero hackers to thwart Flash exploitation methods used in two of the Hacking Team’s leaked Flash zero-days.

Read more: Why digital workplaces are casting ‘shadows’ on IT

“Once these mitigations were put in place, the exploits in the wild decreased, but they did not completely disappear. This latest vulnerability is the first zero-day exploit discovered in the wild after these mitigations were added,” wrote Peter Pi, the Trend Micro threat analyst credited with reporting the new Flash bug Adobe.

Pi noted that one of the mitigations aimed at reducing attacks that exploit “Vector.<*>” — or Vector length corruptions — which can be used to remotely execute code in browser processes as well as for bypassing anti-exploitation techniques such as data exploitation prevention (DEP), address space layout randomisation (ASLR) and Microsoft’s EMET technology.

Pi said the newest exploit demonstrated that Adobe needed to widen protection to other objects that have the “length” property besides Vector, such as the ByteArray length.

As for Pawn Storm/APT28, Trend Micro has previously linked the group to attacks on US and allied military, government and media organisations as well as critics of the Kremlin critics and Ukrainian military and activists. In July, the firm discovered the group using the first Java zero-day exploit discovered in two years.

Read more: ​Microsoft opens limited bug bounty for CoreCLR and ASP.NET 5 betas

Security firm FireEye in June said cyber attacks that knocked French TV station TV5Monde off air for several hours earlier this year were very likely the work of Pawn Storm/APT28. Information about the attack was posted on a “Cyber Caliphate” branded site, leading to the belief that ISIS-affiliated hackers were responsible.

FireEye however found the site was hosted on a block of IP addresses used by APT28, Reuters reported at the time. It also said the malware used in the attack had been coded on a Cyrillic keyboard during times of day that lined up with working hours in Moscow and St Petersburg.



Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.


Join the CSO newsletter!

Error: Please check your email address.

Tags CVE-2015-7645Peter PichromeAlex StamosCSO AustraliaFacebookRussian Flash Playerdata exploitation prevention (DEP)Firefoxtrend microAddress Space Layout Randomisation (ASLR)Pawn Storm attackadobe

More about CSOFacebookFireEyeGoogleMicrosoftMozillaNATOOracleTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts