Attacks/Breaches
10/25/2011
09:21 AM
Connect Directly
RSS
E-Mail
50%
50%

Nasdaq Server Breach: 3 Expected Findings

While federal investigators remain quiet about the ongoing investigation, experts say that the Directors Desk data breach is even worse than thought.

Remember the Nasdaq breach? It's worse than previously thought.

Last week, two experts with knowledge of Nasdaq OMX Group's internal investigation said that while attackers hadn't directly attacked trading servers, they had installed malware on sensitive systems, which enabled them to spy on dozens of company directors. "God knows exactly what they have done. The long-term impact of such [an] attack is still unknown," cyber security expert Tom Kellermann, CTO of AirPatrol, told Reuters, which reported the experts' findings.

In February 2011, Nasdaq OMX Group had confirmed that its servers had been breached, and suspicious files found on servers associated with Directors Desk, which is a Web-based collaboration and communications tool for senior executives and board members to share confidential information. The product has about 10,000 users, according to the company's website.

[From Wall Street to military contractors, hackers have been busy this year. Read Anonymous Threatens New York Stock Exchange Attack.]

At the time, Nasdaq said that it had discovered the attack in October 2010, immediately removed the suspicious files, and launched an investigation, saying "at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers." But it wasn't clear how long the malicious files may have resided on Nasdaq's systems. Indeed, based on past breaches, many businesses fail to spot when they've been hacked, at least right away.

Interestingly, Nasdaq didn't immediately inform customers about the breach, after the FBI--which is investigating the matter, together with the National Security Agency--asked it to delay doing so, so as to not impede its investigation. Furthermore, because of that investigation, Nasdaq hasn't publicly released many details about the attack. But based on recent news reports, as well as likely attack scenarios, we'll likely see these three findings:

1. Web application flaws were exploited. The most popular technique for compromising a Web-based application is to exploit well-known weaknesses in the Web application itself. "Gaining remote access to confidential data held within the Directors Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures," said Gunter Ollman, VP of research at network security vendor Damballa, via email. "In my years of running penetration tests against Fortune 500 companies, these were the most common vulnerabilities that could be exploited to reveal this level of confidential data."

2. "Virtual insider" trading occurred. If you were a hacker with access to the sensitive communications of senior executives at some of the world's biggest companies, seeing earnings results before they were publicly announced, what would you do? No doubt, seek to profit from the information. Expect to see "virtual insider" trading having occurred.

3. Directors Desk served as attack platform. With access to Directors Desk, attackers may not just have listened in, but also attempted to actively impersonate executives, if not for market-moving purposes then at least to launch spear-phishing attacks. "With the ability to impersonate other directors--e.g. uploading communications pretending to be from another director--the attacker could modify content to include malware designed to infect individual company directors," said Ollman. If successful, this would have extended attackers' reach well beyond Directors Desk, "thereby allowing the attackers direct access to the systems that the company directors use on a daily basis within their own companies," he said. In fact, some of those infections might still be active.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.