A leaked internal United Nations (UN) report showed that several core infrastructure servers were compromised during a successful cyberattack. An older version of Microsoft SharePoint was exploited by hackers to gain access to the UN servers in one of the largest known breaches to affect the UN. The attack took place in July 2019 but only came to light a month later in August 2019, and now in 2020 the UN is still “counting casualties.”
The attack was thought to be perpetrated by an advanced persistent threat (APT). The attackers implanted themselves within the UN servers and then showed no further signs of activity. Once established, they remained dormant, a typical move of APTs seeking to avoid detection.
The attackers used a previously known vulnerability – CVE-2019-0604 – of Microsoft SharePoint to execute the remote installation of malware onto the UN servers. In total, 42 servers were compromised, with an additional 25 servers placed under suspicion of being compromised. These servers included the UN Human Rights Offices and the UN Human Resources Department in both Geneva and Vienna. Over 400GB of data was downloaded via the attack. Stéphane Dujarric, a UN spokesperson, told reporters that the UN offices chose not to disclose the attack to the public because “the exact nature and scope of the incident could not be determined.”
Source: Microsoft SharePoint at SoftwareReviews. Accessed March 2, 2019.
This breach was only recently unveiled, and only due to a leak from within the UN. Allegedly, the UN had no intention to disclose the breach at all. This raises two causes for concern.
First, the exploitation used by the attackers was only possible via an old and well-documented vulnerability in Microsoft SharePoint. Even worse, there was a released patch to fix the exploit hackers used to gain access to the UN servers. This means that the UN, since July of 2019 or earlier, failed to update their Microsoft SharePoint to the latest version. Subsequently, 400GB of data has been confirmed to be compromised. There are still 25 other servers whose data security is at risk.
Second, because the UN resides within the European Union, the assumption is the UN would be subject to the General Data Protection Regulation (GDPR). However, because the UN has diplomatic immunity, it is unaffected by legal processes and is therefore not obligated to disclose any breaches publicly.
While the UN is seeking to govern over state behavior, it is difficult to heed the UN’s call for openness and transparency when they fail to model that behavior themselves. These types of actions hurt the credibility of the UN.
Morey Haber, CTO and CISO at BeyondTrust, says, “In my opinion, unless the organization’s public disclosure would actually create harm in the form of national security (which this does not), there is no good reason to cover up the incident. In fact, the sheer fact that a Microsoft SharePoint vulnerability was exploited with such success warrants this information being shared with other agencies and should have been publicly disclosed to help others to protect again the threat.”
This is a case study in the importance of both patch management and transparency. Failure to maintain a current patch led to the United Nation’s breach. This breach would have been easily avoided, had the UN only obtained the patch fix for Microsoft SharePoint. On the transparency side, if the UN faces no consequences for this kind of failure, more breaches could occur without anyone knowing.
It is best to be open about breaches – and how they were remediated – so other organizations can take it as a learning experience and know what to look for. This includes phishing attacks, social engineering, and even physical breaches. Check out our blueprint Developing and Implementing a Security Incident Management Program to find out more.