Comprehensive software reviews to make better IT decisions
United Nations Faces Cyber-Espionage; Failure to Patch Causes Breach
A leaked internal United Nations (UN) report showed that several core infrastructure servers were compromised during a successful cyberattack. An older version of Microsoft SharePoint was exploited by hackers to gain access to the UN servers in one of the largest known breaches to affect the UN. The attack took place in July 2019 but only came to light a month later in August 2019, and now in 2020 the UN is still “counting casualties.”
The attack was thought to be perpetrated by an advanced persistent threat (APT). The attackers implanted themselves within the UN servers and then showed no further signs of activity. Once established, they remained dormant, a typical move of APTs seeking to avoid detection.
The attackers used a previously known vulnerability – CVE-2019-0604 – of Microsoft SharePoint to execute the remote installation of malware onto the UN servers. In total, 42 servers were compromised, with an additional 25 servers placed under suspicion of being compromised. These servers included the UN Human Rights Offices and the UN Human Resources Department in both Geneva and Vienna. Over 400GB of data was downloaded via the attack. Stéphane Dujarric, a UN spokesperson, told reporters that the UN offices chose not to disclose the attack to the public because “the exact nature and scope of the incident could not be determined.”
Source: Microsoft SharePoint at SoftwareReviews. Accessed March 2, 2019.
This breach was only recently unveiled, and only due to a leak from within the UN. Allegedly, the UN had no intention to disclose the breach at all. This raises two causes for concern.
First, the exploitation used by the attackers was only possible via an old and well-documented vulnerability in Microsoft SharePoint. Even worse, there was a released patch to fix the exploit hackers used to gain access to the UN servers. This means that the UN, since July of 2019 or earlier, failed to update their Microsoft SharePoint to the latest version. Subsequently, 400GB of data has been confirmed to be compromised. There are still 25 other servers whose data security is at risk.
Second, because the UN resides within the European Union, the assumption is the UN would be subject to the General Data Protection Regulation (GDPR). However, because the UN has diplomatic immunity, it is unaffected by legal processes and is therefore not obligated to disclose any breaches publicly.
While the UN is seeking to govern over state behavior, it is difficult to heed the UN’s call for openness and transparency when they fail to model that behavior themselves. These types of actions hurt the credibility of the UN.
Morey Haber, CTO and CISO at BeyondTrust, says, “In my opinion, unless the organization’s public disclosure would actually create harm in the form of national security (which this does not), there is no good reason to cover up the incident. In fact, the sheer fact that a Microsoft SharePoint vulnerability was exploited with such success warrants this information being shared with other agencies and should have been publicly disclosed to help others to protect again the threat.”
This is a case study in the importance of both patch management and transparency. Failure to maintain a current patch led to the United Nation’s breach. This breach would have been easily avoided, had the UN only obtained the patch fix for Microsoft SharePoint. On the transparency side, if the UN faces no consequences for this kind of failure, more breaches could occur without anyone knowing.
It is best to be open about breaches – and how they were remediated – so other organizations can take it as a learning experience and know what to look for. This includes phishing attacks, social engineering, and even physical breaches. Check out our blueprint Developing and Implementing a Security Incident Management Program to find out more.
Want to Know More?
The Department of Justice is looking to acquire a GRC tool for the Office of the CIO within the FBI’s Enterprise Information Security Section.
Google has identified “unsafe” code in the Chromium web browser engine. This flaw introduces a potential vulnerability that effects Google Chrome, as well as all Chromium-based web browsers.
The International Association of Privacy Professionals (IAPP) has released its 2020 Privacy Tech Vendor report, reviewing key software solution vendors within the space. This year’s report highlighted the recent addition of Data Subject Request (DSR) to the feature categories.
Among the full set of features available in Zecurion’s new DLP product is the ability to perform user behavior analytics to help spot data loss events before they occur.
Zecurion has one of the most robust DLP products on the market and this fact was recently recognized by SC Magazine, who placed the product in its “pick-of-the-litter" category for DLP.
In early March, Titus released Titus Illuminate 2020, which was the company’s answer to the question of analyzing data at rest. This latest version of Illuminate leverages machine learning and AI in an effort to manage data that contains potentially sensitive or high-risk personal information.
More than ever, cybersecurity solutions are core to any MSPs offering. No longer should technology service providers be farming this out to dedicated security providers. Trust and peace of mind are the core tenets of what they are selling and solutions like Acronis Cyber Protect Cloud can provide the platform upon which to deliver on those promises.
PHEMI is a data privacy solution focused on keeping data-processing activities secure by redacting information based on the role of the accessor. Thus, allowing such data to be used for multiple use cases without compromising privacy.
Kenna Security deployed their new data driven vulnerability management program, Kenna.VM and accessory program, Kenna.VI. Released on April 28th, Kenna.VM was created with the purpose to set service-level agreements (SLAs) with risk tolerance in mind.