Nasdaq Attackers Eavesdropped on Board Directors With Web Monitoring Tool

After breaching Nasdaq's Director's Desk Web application last fall, attackers installed monitoring tools to eavesdrop on board directors' communications, investigators found.

The hackers who breached the Nasdaq stock exchange network last year had installed remote-monitoring software that allowed them to spy on corporate directors, according to Reuters.

The unknown attackers were able to install the monitoring tool and steal confidential documents and communications of board directors on the compromised platform, Reuters reported Oct. 20.

Investigators have evidence that the attackers installed monitoring software and spied on "scores" of directors who had logged on to, but did not know how long the software was running on the network before it was detected and removed last October.

Nasdaq's Director's Desk, a Web-based application used by the boards of various companies that trade on the exchange to share financial information, was compromised in the fall of 2010, Nasdaq OMX, the shell company that owns the stock market, disclosed Feb 5. Nasdaq OMX said at the time that there was no evidence that customer information had been accessed and that the trading infrastructure and other systems remained unaffected.

"It appears that vulnerabilities within the application were probably successfully exploited by remote attackers that allowed them to peruse information exchanges between various company directors," Gunter Ollmann, vice president of research at Damballa, told eWEEK. There are several types of common attacks that exploit application vulnerabilities to give the intruders access to the database and files on the server, Ollmann said.

The fact that the attackers had some sort of write capability on the affected system that allowed them to install software indicates this was a fairly sophisticated attack, Chris Wysopal, CTO of Veracode, told eWEEK. At least one board director was probably compromised to give the perpetrators access to the application before they uncovered the vulnerabilities, Wysopal speculated.

There were a "few steps in the attack" before the software was installed, Wysopal said.

Organizations have to ensure that there is extensive security testing in all phases of development, according to Wysopal. There should be thorough security review during development and dynamic analysis during functional testing to find and close Web vulnerabilities. Penetration testing should be done, but testing should be happening from the start, he said.

Even if the application initially didn't have any issues at launch, ongoing maintenance and new features can be unintentionally introduced at any time, Ollmann said.

"Regular security assessments and penetration tests are standard requirements," and automated tests and change control monitoring should be conducted daily, Ollmann said.

Organizations also have to start thinking about protecting the browser, instead of just focusing on traditional endpoint protection, said Bill Morrow, executive chairman at Quarri Technologies. Confidential business information is increasingly being accessed with Web browsers, but organizations are not always making sure the browsers are up-to-date and secure.

The United States National Security Agency had been assisting Nasdaq in its investigation. U.S. Army General Keith Alexander, head of the National Security Agency and U.S. Cyber Command, told a group of journalists at a conference in Baltimore that the NSA was working with Nasdaq to "identify the signature" of the attackers and to protect the network against further attacks. Alexander said all other details were classified.

"Nation-states, non-nation-state actors and hacker groups are creating tools that are increasingly more persistent and threatening, and we have to be ready for that," Alexander said at the meeting.

The Nasdaq attackers were most likely after inside information they could use for stock trades that would allow them to reap large profits, according to Wysopal. However, there is "definitely a trend" of malicious perpetrators going after a centralized repository of information that they can use in later attacks, he said.