Facebook’s ‘Red Team X’ hunts bugs beyond social media walls
In 2019, pirates stuffed portable networking equipment into a backpack and hiked a Facebook corporate campus to trick people into joining a bogus guest Wi-Fi network. That same year, they installed over 30,000 cryptominers on real Facebook production servers in an attempt to hide even more sinister hacking in all the noise. All of this would have been incredibly alarming if the perpetrators hadn’t been Facebook employees themselves, members of the so-called Red Team tasked with spotting vulnerabilities before the bad guys.
The biggest tech companies have a red team, an inside group that roams and plans like real hackers to help prevent potential attacks. But when the world began to work remotely, increasingly relying on platforms like Facebook for all of its interactions, the the nature of the threats has started to change. The head of the Facebook red team, Nat Hirsch, and his colleague Vlad Ionescu saw an opportunity and a need for their mission to evolve and develop in nature. So they launched a new red team, which is focused on evaluating the hardware and software that Facebook relies on but doesn’t grow. They called it Red Team X.
A typical red team is focused on finding vulnerabilities in their own organization’s systems and products, while elite bug-hunting groups like Google’s Project Zero can focus on evaluating whatever is important to them, regardless of who is doing it. Red Team X, founded in Spring 2020 and led by Ionescu, represents a sort of hybrid approach, working independently of Facebook’s original Red Team to produce third-party products whose weaknesses could impact the company’s own security. social giant.
“Covid has been a real opportunity for us to take a step back and assess how we all work, how things are going and what could be next for the red team,” says Ionescu. As the pandemic progressed, the group received more and more requests to search for products that were outside its traditional scope. With Red Team X, Facebook has put in dedicated resources to handle these requests. “Now the engineers come to us and ask us to look at the things they use,” says Ionescu. “And it can be any kind of technology: hardware, software, low-level firmware, cloud services, consumer devices, network tools, even industrial control.
The group now has six hardware and software hackers with extensive expertise dedicated to this control. It would be easy for them to hack rabbit burrows for months at a time emphasizing every aspect of a given product. Red Team X has therefore designed an intake process that invites Facebook employees to formulate specific questions they ask themselves: “Is the data stored on this device strongly encrypted”, for example, or “this cloud container strictly manage access controls. ” Anything that could give clues as to which vulnerabilities would cause Facebook the biggest headaches.
“I’m a big nerd of this stuff and the people I work with have the same tendencies,” says Ionescu, “so if we don’t have specific questions we’re going to spend six months digging around and whatnot. is not really useful. . “
On January 13, Red Team X publicly disclosed a first-time vulnerability, an issue with Cisco AnyConnect VPN that has since been corrected. Two more are coming out today. The first is an Amazon Web Services cloud bug that involved the PowerShell module of an AWS service. PowerShell is a Windows management tool that can run commands; the team found that the module would accept PowerShell scripts from users who should not be able to make such entries. The vulnerability would have been difficult to exploit, as an unauthorized script would only actually run after restarting the system, which users likely would not have the power to trigger. But the researchers pointed out that it might be possible for any user to request a restart by filing a support ticket. AWS fixed the flaw.
The other new disclosure consists of two vulnerabilities in a power system controller from industrial control manufacturer Eltek called the Smartpack R. Controller. The device monitors different energy flows and essentially acts like the brain behind an operation. If it is connected, for example, to the mains voltage of the grid, to a generator and to back-up batteries, it can detect a voltage drop or a power failure and switch the system power supply to the batteries. Or on a day when the network is functioning normally, he may notice that the batteries are low and start charging them.