In 2019, hackers he stuffed portable networking equipment into a backpack and roamed a corporate campus on Facebook to trick people into joining a fake guest Wi-Fi network. In the same year, they installed over 30,000 cryptocurrencies on real Facebook production servers, in an attempt to hide even more sinister hacking in all the noise. All this would have been incredibly alarming if the perpetrators had not been Facebook employees themselves, members of the so-called red team accused of detecting vulnerabilities before the bad guys did.
Most large technology companies have a red team, an internal group that plans and plans, like real hackers, to help ward off potential attacks. But as people began to work remotely, relying more and more on platforms like Facebook for all their interactions, the nature of the threats began to change. Facebook Red team manager Nat Hirsch and colleague Vlad Ionescu saw an opportunity and a need for their mission to evolve and expand in nature. So they launched a new red team, one that focuses on evaluating the hardware and software that Facebook is based on, but not developing on its own. They called it Red Team X.
A typical red team focuses on testing their organization’s systems and products for vulnerabilities, while elite bug hunters, such as Google’s Project Zero, can focus on evaluating everything they think it is important, no matter who does it. Red Team X, founded in the spring of 2020 and led by Ionescu, is a kind of hybrid approach, working independently of Facebook’s original red team to produce third-party products whose weaknesses could affect the social giant’s own security.
“Covid for us was really an opportunity to take a step back and evaluate how we all work, how things are going and what could be next for the red team,” says Ionescu. As the pandemic continued, the group received more and more requests to analyze products that were outside its traditional sphere. With Red Team X, Facebook has put dedicated resources to reject these investigations. “Now the engineers come to us and ask us to analyze the things they use,” says Ionescu. “And it can be any type of technology – hardware, software, low-level firmware, cloud services, consumer devices, network tools, even industrial control.”
The group now has six hardware and software hackers with extensive expertise dedicated to this verification. It would be easy for them to go down rabbit holes for months, causing every aspect of a particular product. So, Red Team X has designed an admissions process that causes Facebook employees to articulate the specific questions they have: “Is the data stored on this device heavily encrypted?” say or “Is this cloud container strictly managing access controls?” Anything to provide direction on the vulnerabilities that would cause Facebook the biggest headaches.
“I’m a huge nerd about these things and the people I work with have the same tendencies,” says Ionescu, “so if we don’t have specific questions, we’ll spend six months buzzing and it’s not really that useful. ”
On January 13, Red Team X publicly revealed a vulnerability for the first time, a problem with AnyConnect VPN from Cisco that has since been fixed. Launch two more today. The first is an Amazon Services Web cloud bug that involved the PowerShell module of an AWS service. PowerShell is a Windows management tool that can run commands; the team found that the module would accept PowerShell scripts from users who should not have been able to make such entries. The vulnerability would have been difficult to exploit, as an unauthorized script would actually run only after the system restarted – something that users probably would not have the power to trigger. But the researchers pointed out that it could be possible for any user to request a restart by submitting an assistance ticket. AWS fixed the defect.
The other new revelation consists of two vulnerabilities in a power system controller from the industrial control manufacturer Eltek called Smartpack R Controller. The device monitors different energy flows and acts essentially like the brain behind an operation. If it is connected to, say, mains voltage, a generator, and battery backups, it may detect an outage or outage and switch the system power to batteries. Or on a day when the network is operating normally, you may notice that the batteries are discharged and start charging them.