New Zealand Stock Exchange Suffers DDoS Cyberattack

DDoS attack

Dress rehearsal for attack on larger exchange? Two days outage for New Zealand’s NZX, following ‘offshore’ DDoS cyberattack

New Zealand’s stock exchange NSX has been offline for two days now after it suffered a distributed denial of service (DDoS) cyberattack from abroad on Tuesday.

The stock exchange confirmed on Wednesday that the attack was still ongoing, although the “attack was able to be mitigated and connectivity has now been restored for NZX.”

In June the Prime Minister of Australia, Scott Morrison, confirmed his nation was the target of a “sophisticated” cyber attack. The Aussie PM warned that an unnamed foreign government was behind the attack.

NSX DDoS attack

Now is it Australia’s neighbour New Zealand that has experienced a determined cyberattack.

The Wellington-based NSX stock exchange on Wednesday confirmed that it was experiencing a ‘connectivity issue’ that knocked it offline for two days.

It also confirmed the attack had come from ‘aboard’ and the attack had begun just before 16.00 (local time) on Tuesday afternoon.

Trading was also impacted on Wednesday (between 11:24 and 15:00 local time) before the service was restored.

“Yesterday (Tuesday) afternoon NZX experienced a volumetric DDoS (distributed denial of service) attack from offshore via its network service provider, which impacted NZX network connectivity,” said NSX.

“The systems impacted included NZX websites and the Markets Announcement Platform,” it added. “As such, NZX decided to halt trading in its cash markets at approximately 15.57. A DDoS attack aims to disrupt service by saturating a network with significant volumes of internet traffic. The attack was able to be mitigated and connectivity has now been restored for NZX.”

Don’t underestimate

The attack drew reaction from cybersecurity professionals, who warned it was important not to underestimate the sheer amount of traffic that can be utilised by DDoS attackers.

“As the world becomes increasingly connected, more defenses are required to protect against the bombardment of attempts to take down a site,” said Jake Moore, cybersecurity specialist at ESET.

“DDoS attacks are common threats that can usually be avoided with the correct mitigation techniques,” said Moore. “However, when a site experiences a massive influx of traffic that it is not prepared for, even huge organisations can be knocked off their feet relatively easily – and for long periods of time.”

“One common mistake organisations make is to underestimate the magnitude, force, and determination that threat actors possess,” said Moore. “These gangs will continue to cause havoc by directing massive volumes of traffic to a website, either to send a message or test the site’s defenses in preparation for further attacks. Whatever their reason, it’s clear that we should never take this threat too lightly and need to start protecting now for even stronger DDoS bombs.”

Dress rehearsal?

Another security expert agreed and cautioned that the attack on NSX may be a dress rehearsal for a similar attack on a bigger stock exchange, such as the UK’s LSE or America’s Nasdaq.

“This may be a rehearsal of a major attack targeting NASDAQ or LSE amid the craziness going on the global stock markets,” warned Ilia Kolochenko, founder & CEO of web security company ImmuniWeb.

“I don’t think that major cyber gangs have their own interest in, or were hired by someone to conduct a DDoS capable of repeatedly shutting down NZX,” said Kolochenko. “While even a daily outage of NYSE can lead to multibillion losses around the globe, and probably even some bankruptcies and countless lawsuits.”

“Unfortunately, not much can be done to prevent large-scale and well-prepared DDoS attacks today,” Kolochenko added. “Worse, DDoS attacks are hardly investigable, and most of their authors enjoy skyrocketing profits in virtual impunity.”

“During the pandemic, the average price of bots used for DDoS has fallen, and will probably become even more affordable,” he added. “When millions of devices suddenly start a massive attack, it’s a question of network capacity not really network security. We witnessed many examples in the past, when even the largest DDoS protection companies ceased protecting some of their clients under exceptionally large DDoS and gave up.”

“Web applications and APIs should, however, be regularly audited for business logic and architectural security flaws that may consume all CPU/RAM and greatly facilitate a DDoS attack,” Kolochenko concluded.

Remote security

Another expert noted this attacked highlighted the need for organisations to address remote work security.

“Today’s second attack on New Zealand’s stock exchange is yet another reminder that remote work security challenges need to be addressed as a priority,” said Nick Turner, VP EMEA at Druva. “Local governments and cities need to act fast, or risk putting their constituents’ health, safety, lives and most sensitive data at risk.”

“Cyberattacks have become a common threat against local governments who have become sitting ducks lacking the right infrastructure and technology to protect themselves against an attack as hackers look to seize critical data and take hostage over systems for hefty ransoms – or simply – to cause chaos on these establishments,” said Turner.

“From a hackers perspective, local governments and mission critical organisations are at their most vulnerable right now as a result of the pandemic,” said Turner. “Unfortunately, there are nasty consequences for governments that lack the correct backup and recovery solution for their data.”

“The only way we’re going to stop this is by supporting organisations in automating their data protection, compliance, security and backup,” he concluded. “The only way to be safe – whilst operating 24/7 – is to build a cloud-based data protection hub to manage, protect and secure data.”