Attacks/Breaches
10/25/2011
09:21 AM
Connect Directly
RSS
E-Mail
50%
50%

Nasdaq Server Breach: 3 Expected Findings

While federal investigators remain quiet about the ongoing investigation, experts say that the Directors Desk data breach is even worse than thought.

Remember the Nasdaq breach? It's worse than previously thought.

Last week, two experts with knowledge of Nasdaq OMX Group's internal investigation said that while attackers hadn't directly attacked trading servers, they had installed malware on sensitive systems, which enabled them to spy on dozens of company directors. "God knows exactly what they have done. The long-term impact of such [an] attack is still unknown," cyber security expert Tom Kellermann, CTO of AirPatrol, told Reuters, which reported the experts' findings.

In February 2011, Nasdaq OMX Group had confirmed that its servers had been breached, and suspicious files found on servers associated with Directors Desk, which is a Web-based collaboration and communications tool for senior executives and board members to share confidential information. The product has about 10,000 users, according to the company's website.

[From Wall Street to military contractors, hackers have been busy this year. Read Anonymous Threatens New York Stock Exchange Attack.]

At the time, Nasdaq said that it had discovered the attack in October 2010, immediately removed the suspicious files, and launched an investigation, saying "at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers." But it wasn't clear how long the malicious files may have resided on Nasdaq's systems. Indeed, based on past breaches, many businesses fail to spot when they've been hacked, at least right away.

Interestingly, Nasdaq didn't immediately inform customers about the breach, after the FBI--which is investigating the matter, together with the National Security Agency--asked it to delay doing so, so as to not impede its investigation. Furthermore, because of that investigation, Nasdaq hasn't publicly released many details about the attack. But based on recent news reports, as well as likely attack scenarios, we'll likely see these three findings:

1. Web application flaws were exploited. The most popular technique for compromising a Web-based application is to exploit well-known weaknesses in the Web application itself. "Gaining remote access to confidential data held within the Directors Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures," said Gunter Ollman, VP of research at network security vendor Damballa, via email. "In my years of running penetration tests against Fortune 500 companies, these were the most common vulnerabilities that could be exploited to reveal this level of confidential data."

2. "Virtual insider" trading occurred. If you were a hacker with access to the sensitive communications of senior executives at some of the world's biggest companies, seeing earnings results before they were publicly announced, what would you do? No doubt, seek to profit from the information. Expect to see "virtual insider" trading having occurred.

3. Directors Desk served as attack platform. With access to Directors Desk, attackers may not just have listened in, but also attempted to actively impersonate executives, if not for market-moving purposes then at least to launch spear-phishing attacks. "With the ability to impersonate other directors--e.g. uploading communications pretending to be from another director--the attacker could modify content to include malware designed to infect individual company directors," said Ollman. If successful, this would have extended attackers' reach well beyond Directors Desk, "thereby allowing the attackers direct access to the systems that the company directors use on a daily basis within their own companies," he said. In fact, some of those infections might still be active.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio