Comprehensive software reviews to make better IT decisions
United Nations Faces Cyber-Espionage; Failure to Patch Causes Breach
A leaked internal United Nations (UN) report showed that several core infrastructure servers were compromised during a successful cyberattack. An older version of Microsoft SharePoint was exploited by hackers to gain access to the UN servers in one of the largest known breaches to affect the UN. The attack took place in July 2019 but only came to light a month later in August 2019, and now in 2020 the UN is still “counting casualties.”
The attack was thought to be perpetrated by an advanced persistent threat (APT). The attackers implanted themselves within the UN servers and then showed no further signs of activity. Once established, they remained dormant, a typical move of APTs seeking to avoid detection.
The attackers used a previously known vulnerability – CVE-2019-0604 – of Microsoft SharePoint to execute the remote installation of malware onto the UN servers. In total, 42 servers were compromised, with an additional 25 servers placed under suspicion of being compromised. These servers included the UN Human Rights Offices and the UN Human Resources Department in both Geneva and Vienna. Over 400GB of data was downloaded via the attack. Stéphane Dujarric, a UN spokesperson, told reporters that the UN offices chose not to disclose the attack to the public because “the exact nature and scope of the incident could not be determined.”
Source: Microsoft SharePoint at SoftwareReviews. Accessed March 2, 2019.
This breach was only recently unveiled, and only due to a leak from within the UN. Allegedly, the UN had no intention to disclose the breach at all. This raises two causes for concern.
First, the exploitation used by the attackers was only possible via an old and well-documented vulnerability in Microsoft SharePoint. Even worse, there was a released patch to fix the exploit hackers used to gain access to the UN servers. This means that the UN, since July of 2019 or earlier, failed to update their Microsoft SharePoint to the latest version. Subsequently, 400GB of data has been confirmed to be compromised. There are still 25 other servers whose data security is at risk.
Second, because the UN resides within the European Union, the assumption is the UN would be subject to the General Data Protection Regulation (GDPR). However, because the UN has diplomatic immunity, it is unaffected by legal processes and is therefore not obligated to disclose any breaches publicly.
While the UN is seeking to govern over state behavior, it is difficult to heed the UN’s call for openness and transparency when they fail to model that behavior themselves. These types of actions hurt the credibility of the UN.
Morey Haber, CTO and CISO at BeyondTrust, says, “In my opinion, unless the organization’s public disclosure would actually create harm in the form of national security (which this does not), there is no good reason to cover up the incident. In fact, the sheer fact that a Microsoft SharePoint vulnerability was exploited with such success warrants this information being shared with other agencies and should have been publicly disclosed to help others to protect again the threat.”
This is a case study in the importance of both patch management and transparency. Failure to maintain a current patch led to the United Nation’s breach. This breach would have been easily avoided, had the UN only obtained the patch fix for Microsoft SharePoint. On the transparency side, if the UN faces no consequences for this kind of failure, more breaches could occur without anyone knowing.
It is best to be open about breaches – and how they were remediated – so other organizations can take it as a learning experience and know what to look for. This includes phishing attacks, social engineering, and even physical breaches. Check out our blueprint Developing and Implementing a Security Incident Management Program to find out more.
Want to Know More?
By exploiting a five-year-old configuration error, a hacker was able to access Amazon’s S3 cloud storage buckets on which Twilio’s code was loaded. As a result, customers were able to unknowingly download the modified code for twenty-four hours.
Qualys VMDR and Ivanti have announced a new partnership dedicated to improving the detection and patching of vulnerabilities. Announced July 30, the Qualys and Ivanti Partnership have already gone live as an integrated component of the VMDR solution.
Remote Work Landscape Pushes Microsoft to Releases Endpoint DLP and Double Key Encryption Features for Added Data Security
Microsoft recently previewed the specific features to tackle data security and risk management for end users with Microsoft Endpoint Data Loss Prevention (DLP) and Double Key Encryption. The reason for the launch? The increasing shift towards a remote work environment and a need to mitigate the accompanying risks.
IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.
RiskSense announced on July 13 its new version of the cloud-delivered RiskSense risk management platform. The main draw of the program is its holistic risk calculation across CVEs and CWEs.
To bolster and broaden its data privacy capabilities for end users, cyber and data protection vendor Acronis has acquired DLP player DeviceLock. The acquisition aligns with the increasingly prevalent role that data privacy plays in cybersecurity.
Cyberthreats are omnipresent for any enterprise. Monitoring ingress and egress points while still conducting business is a balance security professionals attempt to strike. Couple this with the continued security issues around remote work during the pandemic, and security teams have their hands full.
Navigating the vendor risk management space, particularly in the current environment that consists of a mix of cloud, managed services, and critical supply chain, is key to ensuring that you don’t inadvertently introduce new risks through this dynamic channel.
On May 26, Kenna Security released its new Prioritization to Prediction Benchmark Survey. This free tool provides organizations with the ability to compare their vulnerability management programs to industry averages Kenna Security has compiled over the years.