The US National Vulnerability Database has been hacked and infected with malware on the 8th of March 2013. Until today, the same place from where both black hats and white hats get information about existing software vulnerabilities, is still offline (15th of May 2013).
So far no official report was released that mentions how the hackers managed to hack into and infect NIST’s catalogue of software vulnerabilities with malware. Though from an email sent from Gail Porter (abstract below) it seems that the malicious users exploited a known software vulnerability. It all started when Kim Halavakoski noticed that the NIST vulnerability database is offline. He got in touch with NIST to find out what happened and Gail Porter from the NIST’s Inquiries office replied and stated in an email that;
“On Friday March 8, a NIST firewall detected suspicious activity and took steps to block unusual traffic from reaching the Internet. NIST began investigating the cause of the unusual activity and the servers were taken offline. Malware was discovered on two NIST Web servers and was then traced to a software vulnerability.
Currently there is no evidence that NVD or any other NIST public pages contained or were used to deliver malware to users of these NIST Web sites.”
For a complete transcript of the email sent from Gail Porter (NIST) to Kim Halavakoski click here.
I wonder what motivated the hacker/s to hack into such website and infect it with malware. This is not a normal commercial or government website. This website is extremely popular with web application security experts; both the black hat and white hat communities benefit from the information it contains. Could it be the start of a new wave of survival of the fittest in the underground world?
The web security industry got a lot to learn from this hacking incident. To start off with, like NIST are currently doing, it is of utmost importance to contain the incident by temporarily restricting network connectivity to the infected web application. This reduces the chances of the malware infection spreading to other web servers on the network or infecting website visitors’ computers.
Plan of action to keep hackers at bay
Below are four web application security guidelines which if followed, should help you in avoiding that your business ends up hacked and infected with malware.
- Frequently scan your website for web vulnerabilities; today’s web applications are dynamic and everyday they become more sophisticated by providing more functionality. The more functionality and features are added to a web application, the bigger is the attack surface. So it is imperative to frequently audit your web applications and scan them for web vulnerabilities with a reliable web vulnerability scanner such as Acunetix WVS.
- Backup your web applications; If you identify the security hole of a hacked website it is easier and more efficient to restore a website’s clean backup and close the security hole rather than trying to remove the malware infection. By restoring a website backup you are ensuring that your website is not tampered. On the opposite, you fix a tampered website, it is not guaranteed that you removed all the applications and backdoors that the hacker managed to install and that you will be able to restore all the data to its original state.
- Monitor your website files and scan for malware; even if your web application does not have any vulnerabilities, it is still a good practise to implement a website watchdog and scan your website for malware and file changes (file integrity checks). In case a hacker manages to hack into your website via another source, such as the hosting provider network, you are still alerted about the intrusion and can act at the earliest possible to remediate the hacker’s wrong doing.
- WAF integration; as seen from this incident, it was the firewall that triggered the alarm. As web security experts and PCI DSS recommend, if the budget permits you should perform web application vulnerability scans and implement a web application firewall. If you have a web application firewall, you should ensure that the findings of your web vulnerability scanner of choice can be imported into your web application firewall configuration to mitigate such attacks.