Kim Halavakoski, CSO at Finland's Crosskey Banking Solutions, contacted NIST to find out why he couldn’t access the vulnerability data he was seeking. He was told by email, “On Friday March 8, a NIST firewall detected suspicious activity and took steps to block unusual traffic from reaching the Internet. NIST began investigating the cause of the unusual activity and the servers were taken offline. Malware was discovered on two NIST web servers and was then traced to a software vulnerability.”
NIST does not believe that the infection delivered malware to any visitors to the site. However, information subsequently provided by NIST to The Register illustrates the problem facing CSOs today: patching a zero-day vulnerability may already be too late. According to the information provided to The Register, the breach occurred via an Adobe vulnerability in ColdFusion. Adobe issued a security advisory on this vulnerability on January 4, warning that it was already being exploited, and delivered a patch on January 15.
NIST says, however, that it believes that the “servers were compromised before the software vulnerability was known to the software vendor.” Given hackers’ predilection for using weekends and holidays, when support staff may be fewer, it is quite possible that NVD was breached as long ago as January 1 – but almost certainly around that time.
This means that the presence of the malware on the NIST servers remained undetected for two months before suspicious activity was detected by the firewall.
Clearly there is more to emerge from this story. Why was the malware undetected for so long? What was the suspicious activity at the firewall – data exfiltration or, since the NVD is a public-facing website, an attempted visitor infection? What is the malware that was eventually detected? Since the implication is that it was on the servers for at least two months, it has to be assumed that the malware evaded any anti-virus defenses for a similar period. Is this zero-day malware delivered by a zero-day vulnerability to create a new waterhole attack via NIST’s National Vulnerability Database?