09:21 AM

Nasdaq Server Breach: 3 Expected Findings

While federal investigators remain quiet about the ongoing investigation, experts say that the Directors Desk data breach is even worse than thought.

Remember the Nasdaq breach? It's worse than previously thought.

Last week, two experts with knowledge of Nasdaq OMX Group's internal investigation said that while attackers hadn't directly attacked trading servers, they had installed malware on sensitive systems, which enabled them to spy on dozens of company directors. "God knows exactly what they have done. The long-term impact of such [an] attack is still unknown," cyber security expert Tom Kellermann, CTO of AirPatrol, told Reuters, which reported the experts' findings.

In February 2011, Nasdaq OMX Group had confirmed that its servers had been breached, and suspicious files found on servers associated with Directors Desk, which is a Web-based collaboration and communications tool for senior executives and board members to share confidential information. The product has about 10,000 users, according to the company's website.

[From Wall Street to military contractors, hackers have been busy this year. Read Anonymous Threatens New York Stock Exchange Attack.]

At the time, Nasdaq said that it had discovered the attack in October 2010, immediately removed the suspicious files, and launched an investigation, saying "at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers." But it wasn't clear how long the malicious files may have resided on Nasdaq's systems. Indeed, based on past breaches, many businesses fail to spot when they've been hacked, at least right away.

Interestingly, Nasdaq didn't immediately inform customers about the breach, after the FBI--which is investigating the matter, together with the National Security Agency--asked it to delay doing so, so as to not impede its investigation. Furthermore, because of that investigation, Nasdaq hasn't publicly released many details about the attack. But based on recent news reports, as well as likely attack scenarios, we'll likely see these three findings:

1. Web application flaws were exploited. The most popular technique for compromising a Web-based application is to exploit well-known weaknesses in the Web application itself. "Gaining remote access to confidential data held within the Directors Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures," said Gunter Ollman, VP of research at network security vendor Damballa, via email. "In my years of running penetration tests against Fortune 500 companies, these were the most common vulnerabilities that could be exploited to reveal this level of confidential data."

2. "Virtual insider" trading occurred. If you were a hacker with access to the sensitive communications of senior executives at some of the world's biggest companies, seeing earnings results before they were publicly announced, what would you do? No doubt, seek to profit from the information. Expect to see "virtual insider" trading having occurred.

3. Directors Desk served as attack platform. With access to Directors Desk, attackers may not just have listened in, but also attempted to actively impersonate executives, if not for market-moving purposes then at least to launch spear-phishing attacks. "With the ability to impersonate other directors--e.g. uploading communications pretending to be from another director--the attacker could modify content to include malware designed to infect individual company directors," said Ollman. If successful, this would have extended attackers' reach well beyond Directors Desk, "thereby allowing the attackers direct access to the systems that the company directors use on a daily basis within their own companies," he said. In fact, some of those infections might still be active.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio