In 2019, hackers stuffed portable network equipment into a backpack and roamed a Facebook corporate campus to trick people into joining a fake guest Wi-Fi network. That same year, they installed more than 30,000 crypto miners on real Facebook production servers in an effort to hide even more sinister hacking in all the noise. All of this would have been incredibly alarming if the perpetrators themselves hadn’t been Facebook employees, members of the so-called red team tasked with detecting vulnerabilities before the bad guys do.
Most big tech companies have a red team, an internal group that makes plans like real hackers would to prevent potential attacks. But as the world began to operate remotely, and became increasingly dependent on platforms like Facebook for all their interactions, the nature of the threats began to change. Facebook red team manager Nat Hirsch and colleague Vlad Ionescu saw an opportunity and a need for their mission to evolve and expand in kind. So they launched a new red team, a team focused on evaluating hardware and software that Facebook relies on but doesn’t develop itself. They called it Red Team X.
A typical red team focuses on examining their own organization’s systems and products for vulnerabilities, while elite bug hunter groups like Google’s Project Zero can focus on evaluating everything they think is important, no matter who makes it. Founded in the spring of 2020 and led by Ionescu, Red Team X represents a kind of hybrid approach, which works independently of Facebook’s original Red team to produce third-party products whose weaknesses could affect the security of your home. the social giant.
“Covid was really an opportunity for us to step back and evaluate how we all work, how business is going and what the future could be for the red team,” said Ionescu. As the pandemic progressed, the group increasingly received requests to investigate products that were outside the traditional scope. With Red Team X, Facebook has deployed special resources to end those questions. “Now engineers come to us and ask that we look at the things they use,” says Ionescu. “And it can be any kind of technology: hardware, software, low-level firmware, cloud services, consumer devices, network tools, even industrial control.”
The group now has six hardware and software hackers with broad expertise dedicated to that investigation. It would be easy for them to chop rabbit burrows for months and poke every aspect of a particular product. That’s why Red Team X designed an intake process that prompts Facebook employees to ask specific questions they have: “Is the data stored on this device highly encrypted?” say, or “Does this cloud container strictly manage access controls?” Everything to give direction about which vulnerabilities would cause Facebook the biggest headaches.
“I’m a huge geek about things like this and people I work with have the same tendencies,” said Ionescu, “so if we don’t have any specific questions, we’re going to poke around for six months and that’s actually not that helpful.”
On January 13, Red Team X first disclosed a vulnerability, an issue with Cisco’s AnyConnect VPN that has since been patched. Two more are coming out today. The first is an Amazon Web Services cloud bug involving the PowerShell module of an AWS service. PowerShell is a Windows management program that can run commands; the team found that the module would accept PowerShell scripts from users who should not have made such input. The vulnerability would have been difficult to exploit, as an unauthorized script would not actually run until the system reboot – something that users probably wouldn’t be able to activate. But the researchers pointed out that it is possible for any user to request a reboot by submitting a support ticket. AWS has fixed the bug.
The other new disclosure consists of two vulnerabilities in a power system controller from industrial control manufacturer Eltek called Smartpack R Controller. The device monitors various currents and essentially acts as the brain behind an operation. When connected to, for example, mains power, a generator and battery backups, it can detect a power outage or outage and switch the system power to the batteries. Or one day when the power grid is functioning normally, he may notice that the batteries are low and start charging them.