Latest to Admit Cyber-Attack: The UN

Latest to Admit Cyber-Attack: The UN

The United Nations (U.N.) recently admitted that it was a victim of a cyber-attack. The admission came months after the cyber incident.

U.N. spokesman Stephane Dujarric told reporters in New York that U.N. offices in Geneva and Vienna were targeted by an “apparently well-resourced” cyber-attack in the middle of 2019. In Geneva, Switzerland, several U.N. offices are based, including the World Health Organization (WHO), World Trade Organization (WTO), Human Rights Council (UNHRC), Office of the High Commissioner for Human Rights (OHCHR), the High Commissioner for Refugees (UNHCR). Vienna, Austria, meanwhile, is home to other U.N. offices, including the International Atomic Energy Agency (IAEA) and the Office on Drugs and Crime (UNODC).

“The attribution of any attack is very uncertain and fuzzy, but this was apparently a well-resourced attack,” Dujarric said. “The attack resulted in a compromise of core infrastructure components at both [Geneva] and [Vienna], and was determined to be serious.”

The cyber-attack admission of U.N. spokesman Dujarric came hours after The New Humanitarian exposed the 2019 cyber-attack at the U.N. The New Humanitarian reported that it obtained a confidential U.N. report, dated September 20, 2019, which found that dozens of servers at the U.N. offices in Geneva and Vienna were illegally accessed starting in July 2019.

According to The New Humanitarian, key findings of the confidential U.N. report revealed that staff records and commercial contract data were compromised by the attackers. The U.N. confidential report also revealed that the cyber-attack could have been avoided with a simple patch or update to fix a software security vulnerability.

Security Vulnerability CVE-2019-0604

The Associated Press said that it also viewed the confidential U.N. report. Based on the report, the Associated Press said that the attackers initially gained access to the U.N. networks by exploiting the security vulnerability in Microsoft’s SharePoint software. This security vulnerability designated as CVE-2019-0604 was patched in February 2019 but the U.N. reportedly didn’t update its systems.

"A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package,” Microsoft describes the security vulnerability CVE-2019-0604. “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.”

On April 23, 2019, the Canadian Centre for Cyber Security issued an alert, saying that it’s aware of an ongoing campaign compromising several versions of Microsoft SharePoint Server in order to deploy the China Chopper web shell. The following versions of Microsoft SharePoint are known to be affected: Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 SP1, Microsoft SharePoint Server 2010 SP2 and Microsoft SharePoint Server 2019.

China Chopper is a publicly available web shell that was first discovered in 2012. "The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device,” the Canadian Centre for Cyber Security said. “As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.”

Analysis of the China Chopper Web Shell by researchers at FireEye found that this web shell is flexible enough to run on both Windows and Linux. "This OS and application flexibility makes this an even more dangerous Web shell,” researchers at FireEye said.

In the case of the U.N. cyber-attack, however, it wasn’t mentioned by The New Humanitarian and the Associated Press whether the China Chopper Web Shell was deployed on the compromised servers.

Active Directory Compromise

“As part of the compromised infrastructure, lists of user accounts would have been exposed,” Dujarric told The New Humanitarian.

The Office of the High Commissioner for Human Rights (OHCHR), for its part, in a statement, said, “The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices.” The OHCHR added that the malicious actors didn’t succeed in accessing the passwords, preventing them in gaining access to other parts of OHCHR’s IT system.

Active Directory is built into most Windows Server operating systems and has become the popular approach in managing Windows domain networks. As Active Directory is used in connecting different computers within a network, this has become a prime target of attackers as well.

A senior U.N. IT official, meanwhile, told The New Humanitarian that approximately 400 GB of data was exfiltrated from the U.N. servers and part of the exfiltrated data was the “user lists”, a key component to the network, which, the source said “once you’ve got privileged access, you’ve got into everything”. The New Humanitarian added that the U.N. confidential report about the cyber-attack found that some administrator accounts were breached.

Lack of Transparency

It’s worthy to note that the cyber-attack at the U.N. in 2019 was only admitted by the organization a few hours after The New Humanitarian exposed the said attack.

The UN spokesperson Dujarric told The New Humanitarian that the reason for the lack of transparency is that the “exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”

In a data breach, the lack of transparency could have negative results as individuals and organizations affected aren’t made aware of the situation, preventing them to seek measures to lessen the impact of the data breach. In Canada, data breach reporting is mandatory under the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).