The internal hacking team has been scouring company-used goods for weaknesses for the past year in an effort to make the internet a safer place overall.
In order to fool visitors into connecting to a false guest Wi-Fi network in 2019, hackers hid portable network equipment in a backpack and prowled around the Facebook corporate campus. In an effort to cover up even more nefarious hacking, they placed over 30,000 cryptominers on actual Facebook production servers that same year. If the offenders had not been Facebook employees who were part of the so-called red team tasked with finding weaknesses before the bad guys do, all of this would have been quite concerning.
Red teams are internal teams that strategize and plan like genuine hackers would to aid in thwarting prospective attacks. Red teams are commonplace in large IT organizations. Yet as more people started working from home and relying on social media sites like Facebook for all of their interactions, the threats started to evolve. Nat Hirsch, the manager of the Facebook red team, and Vlad Ionescu, a teammate, recognized a need for their purpose to advance and diversify. In order to evaluate the hardware and software that Facebook uses but doesn’t produce itself, they established a new red team. It was known as Red Team X.
While expert bug-hunting teams like Google’s Project Zero can concentrate on evaluating whatever they think is significant regardless of who creates it, a typical red team focuses on probing their own organization’s systems and products for vulnerabilities. Ionescu’s Red Team X, which was established in the spring of 2020 and operates separately of Facebook’s initial red team to investigate third-party products for flaws that can jeopardize the security of the social media giant itself, is an example of a hybrid strategy.
Ionescu explains that COVID provided an opportunity for the red team to sit back and assess how everyone is working, how things are going, and what might come next. As the pandemic progressed, the organization received more and more requests to investigate products that were outside of its normal purview. Facebook has committed specific resources to pursuing those enquiries with Red Team X. Ionescu says, “Today engineers come to us and ask us to look at items they’re utilizing. “And it can be any form of technology, including hardware, software, firmware running at the lowest level, cloud services, consumer electronics, network tools, and even industrial controls.”
Our focus is to examine the security of pretty much anything that could have an impact on Facebook as a business.
Facebook, VLAD IONESCU
Six skilled hardware and software hackers are currently working with the group on that screening. They may easily spend months poking every nook and cranny of a given product by going down hacking rabbit holes. Red Team X therefore created an admission procedure that asks Facebook staff members specific questions, such as, “Is data saved on this device highly encrypted?” or “Is this cloud container controlling access rules strictly?” Anything that may point to specific vulnerabilities would give Facebook the most trouble.
Ionescu explains, “I’m a great nerd about this topic, and individuals I work with have the same tendencies, so if we don’t have precise questions we’re going to spend six months digging around and that’s not really that productive.
Red Team X first made a vulnerability with Cisco’s AnyConnect VPN, a problem that has since been fixed, public on January 13. Today, it will release two more. The first one is a cloud problem with Amazon Web Services that affected a PowerShell module of an AWS service. The team discovered that the module would accept PowerShell scripts from users who shouldn’t have been able to provide such inputs. PowerShell is a Windows administration tool that can execute commands. Because an unauthorized script could only be executed after the system rebooted, something most users wouldn’t be able to do, the vulnerability would have been difficult to exploit. Nonetheless, the researchers made note of the possibility that any user may ask for a reboot by opening a support ticket. That was fixed by AWS.
Two vulnerabilities in Eltek’s Smartpack R Controller, an industrial control manufacturer’s power system controller, make up the other recent revelation. The device serves as the operational brain by keeping track of various power flows. It might detect a brownout or blackout and switch system power to the batteries if it is connected to, say, line electricity from the grid, a generator, and battery backups. The grid might also detect that the batteries are low on a typical day and start the process of charging them.
The gadget, which Ionescu refers to as a “fancy Internet of Things power strip,” communicates through an organization’s internal network and can be accessed using a browser while on the intranet even though it isn’t technically linked to the internet. The flaws that Red Team X discovered both concern basic gaps in online security that might be exploited by a hacker on the same network as a device to execute malicious Javascript payloads and potentially control or damage the controllers.
Although Eltek fixed both problems, the discovery highlights the variety of Red Team X’s efforts. A networked power system controller may appear to be a specialist piece of industrial equipment unrelated to a web corporation like Facebook, but these devices are becoming more and more widespread in offices and even homes throughout the globe.
With the discovery in December that it was likely Russian state-backed actors broke into the IT management firm SolarWinds, the appearance of Red Team X seems to have come at a particularly opportune moment. Using contaminated upgrades to the business’s Orion network monitoring program, they utilized that position to assault hundreds of other targets both domestically and internationally. Such “supply-chain attacks,” which prey on the interconnected ecology of the computer industry, are challenging to adequately defend against and represent one of the most insurmountable problems facing the security sector.
“The Red Team X mission directly refers to trying to secure Facebook’s supply chain, “Ionescu declares. Our focus is to examine the security of pretty much anything that could have an impact on Facebook as a business.
Red Team X distinguishes out not only for the range of potential vulnerabilities it examines, but also for the fact that it even exists. A veteran corporate red team leader who spoke on Wednesday at the security conference GrimmCon about the fundamentals of forming a corporate red team, Cedric Owens, stressed that it might be challenging for security teams to obtain the necessary numbers.
According to Owens, “the majority of internal red teams lack the time, money, or skill sets to routinely look for zero day vulnerabilities.” This means that establishing a sister team like Red Team X might be useful when the regular red team wanted to imitate a more powerful adversary with zero day vulnerability exploitation capabilities. But, typically, only the top 1% of organizations would have that.
Even if the Red Team X model won’t be adopted widely anytime soon, it’s crucial that the corporate one percent support these systems. Facebook must exert every effort to make sure that both its own products and those of its vendors are as safe as possible because 2.8 billion users depend on it to protect their data and communications. Everybody loses when Facebook has a security problem. Red Team X might potentially make many other services and platforms safer by assisting in the resolution of problems across the tech spectrum.
