Skip the navigation

Many companies likely affected by iOS developer forum compromise

By Lucian Constantin
February 20, 2013 04:55 PM ET

The hackers managed to compromise an administrator account and used it to alter the site's files and insert malicious JavaScript into them, Sefferman said. "That JavaScript appears to have used a sophisticated, previously unknown exploit to hack into certain user's computers."

It is very likely that iPhoneDevSDK was the common gateway for the attacks against Twitter, Facebook and Apple, Sean Sullivan, a researcher at security firm F-Secure, said Wednesday via email.

Sullivan believes that while it's possible the attackers did their homework and researched in advance who visited the forum, it's also possible that they never expected to hack into Twitter, Facebook and Apple systems in particular. "In fact, that might have been their undoing -- they caught too many big fish with strong security teams," he said.

Twitter did not immediately respond to an inquiry sent Wednesday seeking confirmation that the attack against the company involved a previously unknown Java exploit hosted on iPhoneDevSDK.

The exact timeline of the attack against the Web forum is not clear, but it seems that the hackers removed the exploit on Jan. 30, Sefferman said.

Earlier this week, Sullivan said in a blog post that F-Secure obtained some samples of Mac malware uploaded to VirusTotal on Jan. 31, one day before Twitter's hack announcement, that might have been used in the attacks.

One of the samples was a backdoored SSH daemon binary that was very likely dropped by an exploit. The others were one-line Perl scripts that run at startup and open a reverse shell to a remote server, he said.

The URLs contacted by these scripts included a domain that misspelled "Apple Corp"; a domain that sounded like the name of a digital consulting company; and a domain that pretends to be a cloud storage service.

Given the audience of iPhoneDevSDK -- iOS developers -- the attack most likely targeted Mac OS users, Sullivan said Wednesday. However, some old samples of Windows malware that contact one of the same domains as the new Mac backdoors have also been identified. So the same attackers also targeted Windows users in the past, he said.

This type of attack that involves infecting a website frequently visited by a targeted group of people -- for instance, employees of companies in a certain industry, political and human rights activists supporting a certain cause -- is referred to in the security community as a "watering hole" attack, because the method resembles the hunting habits of predatory animals who wait near pools of water for prey to come and drink.

Sefferman described iPhoneDevSDK as "the most widely read dedicated iOS developer forum." The site does not publicly list the exact number of registered users, but it has sub-forums dedicated to certain topics that have tens or hundreds of thousands of replies.

Sullivan believes that, given the popularity of iPhoneDevSDK, many other companies were probably affected by this attack as well, but have yet to come forward or even discover the malware on their employees' systems.

Companies who develop iOS apps should probably ask their employees if they visited iPhoneDevSDK in recent months and should analyze their work computers for malware.

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies