Nasdaq Attackers Eavesdropped on Board Directors With Web Monitoring Tool
The hackers who breached the Nasdaq stock exchange network last year had installed remote-monitoring
software that allowed them to spy on corporate directors, according to Reuters.
The unknown attackers were able to install the monitoring tool and steal confidential documents and
communications of board directors on the compromised platform, Reuters reported
Oct. 20.
Investigators have evidence that the attackers installed monitoring software and spied on
“scores” of directors who had logged on to directorsdesk.com, but did
not know how long the software was running on the network before it was detected
and removed last October.
Nasdaq’s Director’s Desk, a Web-based application used by the boards of various
companies that trade on the exchange to share financial information, was
compromised in last fall, Nasdaq OMX, the shell company that owns the stock
market, disclosed Feb 5. Nasdaq OMX said at the time that there was no evidence
that customer information had been accessed and that the trading infrastructure
and other systems remained unaffected.
“It appears that vulnerabilities within the application were probably successfully exploited by
remote attackers that allowed them to peruse information exchanges between
various company directors,” Gunter Ollmann, vice president of research at
Damballa, told eWEEK. There are several types of common attacks that exploit application vulnerabilities to give
the intruders access to the database and files on the server, Ollmann said.
The fact that the attackers had some sort of write capability on the affected system that allowed them to
install software indicates this was a fairly sophisticated attack, Chris Wysopal, CTO of Veracode, told eWEEK.
At least one board director was probably compromised to give the perpetrators access to the application before they uncovered the vulnerabilities, Wysopal speculated.
There were a “few steps in the attack” before the software was installed, Wysopal said.
Organizations have to ensure that there is extensive security testing in all phases of development, according to Wysopal. There should be thorough security review during development and dynamic analysis during functional testing to find and close
Web vulnerabilities. Penetration testing should be done, but testing should be happening from the start, he said.
Even if the application initially didn’t have any issues at launch, ongoing maintenance and new features
can be unintentionally introduced at any time, Ollmann said.
“Regular security assessments and penetration tests are standard requirements,” and
automated tests and change control monitoring should be conducted daily,
Ollmann said.
Organizations also have to start thinking about protecting the browser, instead of just focusing on
traditional endpoint protection, said Bill Morrow, executive chairman at Quarri Technologies. Confidential business information is increasingly being accessed with Web browsers, but organizations are not always making sure the browsers
are up-to-date and secure.
The United States National Security Agency had been assisting Nasdaq in its investigation. U.S. Army
General Keith Alexander, head of the National Security Agency and U.S. Cyber= Command, told a group of journalists at a conference in Baltimore that the NSA was working with Nasdaq to “identify the signature” of the attackers
and to protect the network against further attacks. Alexander said all other details were classified.
“Nation-states, non-nation-state actors and hacker groups are creating tools that are
increasingly more persistent and threatening, and we have to be ready for that,” Alexander said at the meeting.
The Nasdaq attackers were most likely after inside information they could use for stock trades that would
allow them to reap large profits, according to Wysopal. However, there isn “definitely a trend” of malicious perpetrators going after a centralized repository of information that they can use in later attacks, he said.
By on 24/10/2011