Attacks/Breaches
10/25/2011
09:21 AM
50%
50%

Nasdaq Server Breach: 3 Expected Findings

While federal investigators remain quiet about the ongoing investigation, experts say that the Directors Desk data breach is even worse than thought.

Remember the Nasdaq breach? It's worse than previously thought.

Last week, two experts with knowledge of Nasdaq OMX Group's internal investigation said that while attackers hadn't directly attacked trading servers, they had installed malware on sensitive systems, which enabled them to spy on dozens of company directors. "God knows exactly what they have done. The long-term impact of such [an] attack is still unknown," cyber security expert Tom Kellermann, CTO of AirPatrol, told Reuters, which reported the experts' findings.

In February 2011, Nasdaq OMX Group had confirmed that its servers had been breached, and suspicious files found on servers associated with Directors Desk, which is a Web-based collaboration and communications tool for senior executives and board members to share confidential information. The product has about 10,000 users, according to the company's website.

[From Wall Street to military contractors, hackers have been busy this year. Read Anonymous Threatens New York Stock Exchange Attack.]

At the time, Nasdaq said that it had discovered the attack in October 2010, immediately removed the suspicious files, and launched an investigation, saying "at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers." But it wasn't clear how long the malicious files may have resided on Nasdaq's systems. Indeed, based on past breaches, many businesses fail to spot when they've been hacked, at least right away.

Interestingly, Nasdaq didn't immediately inform customers about the breach, after the FBI--which is investigating the matter, together with the National Security Agency--asked it to delay doing so, so as to not impede its investigation. Furthermore, because of that investigation, Nasdaq hasn't publicly released many details about the attack. But based on recent news reports, as well as likely attack scenarios, we'll likely see these three findings:

1. Web application flaws were exploited. The most popular technique for compromising a Web-based application is to exploit well-known weaknesses in the Web application itself. "Gaining remote access to confidential data held within the Directors Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures," said Gunter Ollman, VP of research at network security vendor Damballa, via email. "In my years of running penetration tests against Fortune 500 companies, these were the most common vulnerabilities that could be exploited to reveal this level of confidential data."

2. "Virtual insider" trading occurred. If you were a hacker with access to the sensitive communications of senior executives at some of the world's biggest companies, seeing earnings results before they were publicly announced, what would you do? No doubt, seek to profit from the information. Expect to see "virtual insider" trading having occurred.

3. Directors Desk served as attack platform. With access to Directors Desk, attackers may not just have listened in, but also attempted to actively impersonate executives, if not for market-moving purposes then at least to launch spear-phishing attacks. "With the ability to impersonate other directors--e.g. uploading communications pretending to be from another director--the attacker could modify content to include malware designed to infect individual company directors," said Ollman. If successful, this would have extended attackers' reach well beyond Directors Desk, "thereby allowing the attackers direct access to the systems that the company directors use on a daily basis within their own companies," he said. In fact, some of those infections might still be active.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice one
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1235
Published: 2015-04-19
The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element.

CVE-2015-1236
Published: 2015-04-19
The MediaElementAudioSourceNode::process function in modules/webaudio/MediaElementAudioSourceNode.cpp in the Web Audio API implementation in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy and obtain sensitive audio sample values via a cr...

CVE-2015-1237
Published: 2015-04-19
Use-after-free vulnerability in the RenderFrameImpl::OnMessageReceived function in content/renderer/render_frame_impl.cc in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger renderer IPC messages ...

CVE-2015-1238
Published: 2015-04-19
Skia, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors.

CVE-2015-1240
Published: 2015-04-19
gpu/blink/webgraphicscontext3d_impl.cc in the WebGL implementation in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WebGL program that triggers a state inconsistency.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.