[BreachExchange] Three United Nations offices hacked

[Destry Winant]

https://www.computing.co.uk/ctg/news/3085225/united-nations-offices-hacked

The United Nations was hacked via a Microsoft SharePoint vulnerability
last year, with 20 administrative accounts compromised and malware
implanted on 40 servers.

Furthermore, the UN chose to cover-up the attack, which has been
described as "sophisticated", rather than publicly disclosing it.

In addition to entering the organisation via an unpatched SharePoint
server install, the attackers were easily able to achieve lateral
movement across multiple active directory domains in the UN's core
infrastructure, according to security specialist Kevin Beaumont.

Kevin Beaumont✔@GossiTheDog

Want to know a fun thing about CVE-2019-0604?

Thousands of publicly exposed systems still run SharePoint 2007.

Doesn’t matter as the advisory says it doesn’t apply to SP 2007, right? Wrong.

Exploit absolutely works, product is out of support. Vuln scanners
don’t detect. https://twitter.com/gossithedog/status/1126833629236215808
…

Kevin Beaumont✔@GossiTheDog

CVE-2019-0604 is being exploited in the wild It's a web based remote
code execution vuln without need for authentication, plus Microsoft
had to reissue the patch later as the first one didn't fix the
vulnerability - so lots of places are exposed.
https://twitter.com/chrisdoman/status/1126442126408024065 …

467
2:40 PM - Jan 29, 2020
Twitter Ads info and privacy

200 people are talking about this

The attack has come to light following the leak of an internal report
to Nairobi, Kenya-based news agency, The New Humanitarian, formerly
IRIN News.

UN offices in Vienna and Geneva were compromised, as well as the UN
Officer of the High Commissioner for Human Rights, also in Geneva. The
organisation, according to the report, only informed the internal IT
teams and the heads of the offices affected. Staff inside the United
Nations don't appear to have been briefed on the nature and extent of
the attack, according to Beaumont.

According to the leaked report, the attack started in mid-July, but
was only discovered on 30th August. The UN office in Geneva appears to
be the epicentre of the attacks. Its 1,600 staff work on a range of
sensitive topics, including the ongoing Syria peace effort, the UN
humanitarian coordination office and the Economic Commission for
Europe.

Internal documents, databases, emails, commercial information, and
personal data may have been available to the intruders

"Although it is unclear what documents and data the hackers obtained
in the 2019 incident, the report seen by TNH implies that internal
documents, databases, emails, commercial information, and personal
data may have been available to the intruders - sensitive data that
could have far-reaching repercussions for staff, individuals, and
organisations communicating with and doing business with the UN," The
New Humanitarian reports.

UN spokesperson Stéphane Dujarric admitted to the publication that the
United Nations' core IT infrastructure in Geneva and Vienna were
compromised. "As the exact nature and scope of the incident could not
be determined, [the UN offices in Geneva and Vienna] decided not to
publicly disclose the breach."

The UN enjoys diplomatic immunity, meaning that it isn't subject to EU
regulations, such as GDPR, and isn't obliged to reveal the information
obtained or to notify anyone who might be affected.

Not surprisingly, perhaps, the UN has repeatedly been the target of
various cyber attacks, including one on the UN pension fund system in
October 2019, and an attack linked with North Korea in March 2019.