Facebook’s Red Team X Finds Bugs in Third Party Products

Facebook’s Red Team is tasked with spotting vulnerabilities on the platform before hackers do. Many tech companies have similar red teams but, at Facebook, Red Team manage Nat Hirsch and his colleague Vlad Ionescu saw an opportunity to do more after COVID-19 hit. Established last spring and headed by Ionescu, Facebook’s Red Team X both works independently with its internal, original Red Team and looks into weaknesses of third-party products that represent a potential threat to its own platform.

Wired reports that, “as the pandemic wore on, the group increasingly got requests to look into products that were outside of its traditional scope.” “Now engineers come to us and request that we look at things they’re using,” said Ionescu. “Our scope is to look at the security of pretty much anything that would be consequential to Facebook as a company.”

Red Team X, comprised of six hardware and software hackers, “designed an intake process that prompts Facebook employees to articulate specific questions they have.” Ionescu noted that, “if we don’t have specific questions we’re going to spend six months poking around and that’s not actually that useful.”

The team first disclosed a vulnerability — with Cisco’s AnyConnect VPN — on January 13; it has since been patched. Two new vulnerabilities just released include “an Amazon Web Services cloud bug that involved the PowerShell module [a Windows management tool that runs commands] of an AWS service.” AWS fixed the flaw which would have been difficult — but not impossible — to exploit.

The second recent bug the team revealed comes from industrial control manufacturer Eltek’s Smartpack R Controller, which “monitors different power flows and essentially acts as the brains behind an operation.” Both bugs “relate to simple missing web protections that could allow a hacker on the same network as a device to run malicious Javascript payloads and potentially manipulate or sabotage the controllers.” Eltek also patched the flaws.

Wired notes that, “the finding underscores the diversity of Red Team X’s projects … [since] a networked power system controller might seem like specialized industrial infrastructure that wouldn’t be directly relevant to a web company like Facebook, but such devices are increasingly common in offices and even residential buildings around the world.”

It also notes that, “the emergence of Red Team X seems especially well-timed given revelations in December that suspected Russian state-backed actors penetrated the IT management company SolarWinds.”

“The Red Team X mission speaks directly to trying to secure the supply chain for Facebook,” said Ionescu. “Our scope is to look at the security of pretty much anything that would be consequential to Facebook as a company.” Corporate Red Team leader Cedric Owens, who spoke at security conference GrimmCon, pointed out that, “most internal red teams do not have the time, resources, or skill sets to regularly hunt for zero day vulnerabilities.”

“So having a sister team like Red Team X would be a nice benefit when the normal red team wants to emulate a higher level adversary with zero day vulnerability exploitation capabilities,” he said.