A security gaffe left Oman's stock exchange vulnerable to hackers for months
Experts suggest that the flaw could have allowed hackers to easily compromise the Omani stock exchange's network.
For several months, Oman's stock exchange, one of the largest stock exchanges in the Middle East, was reportedly vulnerable to hacking. The Omani exchange, the Muscat Securities Market, has since reportedly quietly fixed the security issue, which could have allowed hackers to gain unimpeded access to the network.
ZDNet reported that a security researchers found that a primary Huawei router for Oman's stock exchange had both its username and password as "admin". It is not uncommon for many routers to have the same username and password combination set as default. However, unless manually changed, leaving the combination as is, would reportedly allow hackers to gain administrator privileges, which in turn would give them complete control over the device.
"Actually, 'owning the network' is a breeze," security researcher Victor Gevers, the security researcher who discovered Oman's stock exchange's flaw, told ZDNet. According to Gevers, who is the founder of the non-profit group GDI foundation that hunts vulnerabilities, several attempts to contact Omani authorities by phone and email failed to yield any response. Meanwhile, the exchange remained vulnerable. According to Gevers, if a hacker had stumbled onto the vulnerable router, the network's traffic could then have easily been manipulated, ZDNet reported.
Although the Muscat Securities Market has since fixed the issue, it is still unclear when exactly the issue was resolved. It also remains uncertain if any other third parties also found the vulnerable router.
ZDNet reported that Gevers found the vulnerable router's IP address buried in a list of Telnet credentials that were leaked last year. An unknown individual leaked around 33,000 credentials, belonging to over 1,700 IoT devices. Some of the credentials leaked are reportedly still working and could be used by hackers operating botnets to shut down websites, mine cryptocurrency and even spy on vulnerable networks.
Gevers reportedly spent months pouring over the list of leaked credentials, reporting each of the vulnerable devices included in the list, many of which have already been compromised, to its owners.
Gevers told ZDNet that last year alone, "We saw a potential of 1.9 million vulnerabilities online. In 2018, that number will go up." This means that we will likely have to brace for even more cyberattacks and data breaches in the coming months.