NIST, US government’s vulnerability database, brought down by ironic malware

NIST-Logo_170The US’s national vulnerability database has been offline for days thanks to a multi-server infection by severely ironic malware.

Kim Halavakoski, chief security officer at Crosskey Banking Solutions, broke the news Wednesday night on his Google+ page.

Kim Halavakoski - Google+

Halavakoski said that he was trying to research vulnerability information from the National Vulnerability Database (NVD) and other websites operated by the National Institute of Standards and Technology (NIST).

Instead of results, he got what was still showing up as of Friday morning: a “Page not available” message.

Page not available

When he asked NIST what was up, a spokeswoman told him that the organization doesn’t know when the database will be back up, but they’re sweating bullets to get it back fast.

According to her statement, the public-facing NVD site and other NIST-hosted sites were taken offline when NIST discovered malware on two servers on Friday night.

NIST took the servers offline after a firewall picked up on suspicious activity and blocked “unusual” traffic from reaching the internet.

While investigating the malware, NIST discovered an unspecified software vulnerability.

So far, nothing vile has seeped out as a result. NIST says:

Currently there is no evidence that NVD or any other NIST public pages contained or were used to deliver malware to users of these NIST Web sites. NIST continually works to maintain the integrity of its IT infrastructure and acts to limit the impact of malware on its systems. We regret the impact this has had on our services.

An interesting note: in a subsequent post Thursday morning, Halavakoski noted that a site report shows that the day after NIST detected the malware, it switched its sites from IIS 7.5 to Linux and Apache.
Kim Halavakoski - Google +At any rate, beyond the Microsoft vs. open-source debate, the hack of a database that catalogs vulnerabilities is little short of “pure evil”, to borrow Halavakoski’s summation.

Those hackers really know how to hurt a security guy/girl. Good luck wiping your servers clean, NIST.

Images from Kim Halavakoski