CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

NASDAQ Attackers Likely Monitored Director Communications

Two unknown sources close to the NSADAQ investigation have told Reuters that malicious software that worked its way into a web-based communications platform at NASDAQ last year allowed the attackers to monitor communications between busin

Two unknown sources close to the NSADAQ investigation have told Reuters that malicious software that worked its way into a web-based communications platform at NASDAQ last year allowed the attackers to monitor communications between business leaders using its Director’s Desk system.

Directors Desk is a solution to help board members communicate and collaborate “securely”, which the company says is used by more than 10,000 directors around the globe.

Hackers Penetrate NASDAQ Directors DeskIt is unknown what the attackers may have stolen information wise, or what passive communications were viewed as they monitored on the directors of several publically held companies. At the time of the breach, NASDAQ reported that no evidence was discovered that pointed to access of customer’s information, but given the nature of Director’s Desk, the latest details are far from cheery.

NASDAQ CEO Robert Greifeld told the news agency that the exchange is under constant attack. Because of this, they spend nearly a billion dollars annually on their information security program. Yet, is this money that should be applied elsewhere? Perhaps on basic Application Security?

“Due to the true nature of the Director’s Desk Web-based application, it appears that vulnerabilities within the application were probably successfully exploited by remote attackers that allowed them to peruse information exchanges between various company directors. There are several classes of common vulnerabilities that would allow attacks like this, and I would direct people to take a closer look at the OWASP Top-10 application security risks,” commented Damballa’s Gunter Ollman.

“Gaining remote access to confidential data held within the Director’s Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures. In my years of running penetration tests against Fortune-500 companies, these were the most common vulnerabilities that could be exploited to reveal this level of confidential data.”

He added that the new details of the malicious usage of Director’s Desk, or any major Web application being targeted should come as no surprise.

“Overall, vulnerabilities within large Web-based applications are very common. They are under constant development and change, which means that vulnerabilities can be unintentionally introduced at any time. If there are multiple development teams working on the same application portal – all developing their own micro applications – then the probability of new vulnerabilities being introduced grows considerably. This is why Web applications need to be security tested continuously.”

Directors Desk is completely unrelated to the NASDAQ trading platforms which power the exchange and trading operations were never affected.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.