Pierluigi Paganini March 16, 2013

The news is curious as it is worrying, unknown hackers have violated the US government repository of standards based vulnerability management website, known as National Vulnerability Database (NVD), last week.

The NVD website appears down since last Friday, fortunately while I’m writing is up again, the attackers have compromised at least two servers with a malware-based attack discovered on Wednesday.

NIST detected the malware presence on March 8th due observation of suspicious activity, two servers being taken offline, one machine ran the NVD web site meanwhile the other hosted a half-dozen other sites, including manufacturing.gov, E3.gov, greensuppliers.gov, emtoolbox.nist.gov, nsreserve.gov, and stonewall.nist.gov.

It’s curious that the site which should enable automation of vulnerability management, security measurement, and compliance was victim of attacks, let’s remind that NVD also provides information on software flaws, misconfigurations, and distribute impact metrics and security checklists.

In the days when the site was down the home page of website states,

“The NIST National Vulnerability Database (NVD) has experienced an issue with its Web Services and is currently not available. We are working to restore service as quickly as possible. We will provide updates as soon as new information is available.”

Kim Halavakoski, Chief Security Officer at Crosskey Banking Solutions, in a blog post published on Google+ revealed that received the following information from NIST Public Inquiries Office:

“On Friday March 8, a NIST firewall detected suspicious activity and took steps to block unusual traffic from reaching the Internet. NIST began investigating the cause of the unusual activity and the servers were taken offline. Malware was discovered on two NIST Web servers and was then traced to a software vulnerability.”

He also added that there isn’t evidence that NVD website was used to spread malware infecting its visitors, a schema that recently has been adopted in many cases adopting a technique known as Watering Hole, a methods to infect on large-scale the goers of legitimate web sites.

The attackers exploited a vulnerability in Adobe’s ColdFusion Web development software, according revelation NIST (National Institute of Standards and Technology) spokeswoman Gail Porter who declared that the malware was inserted before a patch Adobe Issued January 15.

The mission of the NVD is to help organizations, private companies and individuals to improve protection from cyber threats of their IT infrastructures, many government agencies and private businesses use the database, infecting the NVD with a malware hackers may infect an impressive amount of visitors.

The hack of the National Vulnerability Database (NVD) reinforces the conviction that US needs for a stronger effort to improve cyber security, the same conviction has been manifested by president Barack Obama in meetings Wednesday and Thursday with corporate leaders according Bloomberg post.

The improvement of cyber capabilities and mitigation of cyber attacks is possible only if private companies and governments will increase the collaboration and the US Government will reaffirm its commitment.

Pierluigi Paganini

(Security Affairs – Cyber security)