An internal confidential document from the UN was leaked, saying that 42 servers were “compromised” and another 25 were deemed “suspicious,” nearly all at its offices in Geneva and Vienna.
Three of the compromised servers belonged to the Office of the High Commissioner for Human Rights, and two were used by the U.N. Economic Commission for Europe.
The U.N. document also highlights a vulnerability in the software program Microsoft Sharepoint, which could have been used for the hack.
“Dozens” of servers for the United Nations were hacked in July 2019.
The UN is using “diplomatic immunity” as a reason why they are not obliged to notify those affected or to divulge what material was accessed.
This seems like it should be a bigger deal. https://t.co/EHYk4Gu3e4
— Leah McElrath (@leahmcelrath) January 29, 2020
As if we need it, this is further warning to organisations and enterprises around the world about the importance of patch management and patching in a timely manner. We must remember that cybercriminals are actively looking for ways to exploit vulnerabilities as soon as they are made public. When vendors issue critical patches for software, organisations should take note and act appropriately. Where we typically see failings is around asset management, and speed of deployment around critical patches. Organisations who have maturity in this space tend to act quicker and patch ‘critical’ systems in a timely manner.
We hear more and more stories about organizations that end up disconnecting their servers and endpoints from the internet: it\’s not just the United Nations, but also Singapore, Japan, South Korea as well as financial institutions worldwide that choose isolation as a significantly more resilient strategy. In light of today\’s threats, organizations should consider isolation approaches that range from creating network segments to isolating internet-connected applications on user endpoints.
The compromise of core infrastructures at the UN is troubling – especially considering the specific offices targeted and the information they hold. One of the most critical steps for the UN to take now should be focused on strategic post-breach actions focused on remediation – such as ensuring credentials are properly managed, rotated and audited to stop additional incidents or any attempt at lateral movement. Once attackers gain control over an entire infrastructure, they can persist and hide to have a longer-term presence. How they got in, or why, is irrelevant now.
I believe no one should be covering up attacks in any way, shape or form. We have learnt that being open and honest about cyberattacks can in fact help the brands and organisations in the wake of these hacks and help build stronger defences going forward.
Owning up to a data breach or vulnerability usually brings the cyber security industry together, and can provide help and support. It also helps other organisations who may be at risk with similar vulnerabilities. Although it is yet to be seen how this attack was carried out, there is a lot to be learnt within the industry about reporting breaches, and hopefully over the next few years we will start to see a more honest approach.
In a tense geo-political climate, nation-state attacks are on the rise, and this comes as no surprise. These attacks have the potential to cause serious havoc to systems around the world, often targeting critical infrastructure like power grids and industrial control systems, as well as government agencies. With the focus of today’s headlines on the United Nations, it appears the international entity has been targeted with malware that was potentially leveled through an application vulnerability in MS SharePoint. For years, these app vulnerability attacks have successfully disrupted operations and leaked sensitive information.
While security teams investigate which country may have launched this attack, our job as security professionals is to recognize that the threats are bigger than just one country. This is a global problem that we’re contending with, and staying ahead of nation-state attacks is fundamentally a matter of proactively taking steps and using vigilance to limit the impact of an attack. WhiteHat Security has the resources, technology and services to help the U.N. and other agencies defend against sophisticated cyberattacks like this one. We’re actively partnering with the public sector to defend against rising nation-state attacks by offering our dynamic application security testing (DAST) and an entry-level static application security testing (SAST) solution to agencies at no charge.