1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

1/31/2020

0 Comments

Latest to Admit Cyber-Attack: The UN

 
UN Cyber Attack

Latest to Admit Cyber-Attack: The UN

The United Nations (U.N.) recently admitted that it was a victim of a cyber-attack. The admission came months after the cyber incident.

U.N. spokesman Stephane Dujarric told reporters in New York that U.N. offices in Geneva and Vienna were targeted by an “apparently well-resourced” cyber-attack in the middle of 2019. In Geneva, Switzerland, several U.N. offices are based, including the World Health Organization (WHO), World Trade Organization (WTO), Human Rights Council (UNHRC), Office of the High Commissioner for Human Rights (OHCHR), the High Commissioner for Refugees (UNHCR). Vienna, Austria, meanwhile, is home to other U.N. offices, including the International Atomic Energy Agency (IAEA) and the Office on Drugs and Crime (UNODC).

“The attribution of any attack is very uncertain and fuzzy, but this was apparently a well-resourced attack,” Dujarric said. “The attack resulted in a compromise of core infrastructure components at both [Geneva] and [Vienna], and was determined to be serious.”

The cyber-attack admission of U.N. spokesman Dujarric came hours after The New Humanitarian exposed the 2019 cyber-attack at the U.N. The New Humanitarian reported that it obtained a confidential U.N. report, dated September 20, 2019, which found that dozens of servers at the U.N. offices in Geneva and Vienna were illegally accessed starting in July 2019.

According to The New Humanitarian, key findings of the confidential U.N. report revealed that staff records and commercial contract data were compromised by the attackers. The U.N. confidential report also revealed that the cyber-attack could have been avoided with a simple patch or update to fix a software security vulnerability.

Security Vulnerability CVE-2019-0604

The Associated Press said that it also viewed the confidential U.N. report. Based on the report, the Associated Press said that the attackers initially gained access to the U.N. networks by exploiting the security vulnerability in Microsoft’s SharePoint software. This security vulnerability designated as CVE-2019-0604 was patched in February 2019 but the U.N. reportedly didn’t update its systems.

"A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package,” Microsoft describes the security vulnerability CVE-2019-0604. “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.”

On April 23, 2019, the Canadian Centre for Cyber Security issued an alert, saying that it’s aware of an ongoing campaign compromising several versions of Microsoft SharePoint Server in order to deploy the China Chopper web shell. The following versions of Microsoft SharePoint are known to be affected: Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 SP1, Microsoft SharePoint Server 2010 SP2 and Microsoft SharePoint Server 2019.

China Chopper is a publicly available web shell that was first discovered in 2012. "The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device,” the Canadian Centre for Cyber Security said. “As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.”

Analysis of the China Chopper Web Shell by researchers at FireEye found that this web shell is flexible enough to run on both Windows and Linux. "This OS and application flexibility makes this an even more dangerous Web shell,” researchers at FireEye said.

In the case of the U.N. cyber-attack, however, it wasn’t mentioned by The New Humanitarian and the Associated Press whether the China Chopper Web Shell was deployed on the compromised servers.

Active Directory Compromise

“As part of the compromised infrastructure, lists of user accounts would have been exposed,” Dujarric told The New Humanitarian.

The Office of the High Commissioner for Human Rights (OHCHR), for its part, in a statement, said, “The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices.” The OHCHR added that the malicious actors didn’t succeed in accessing the passwords, preventing them in gaining access to other parts of OHCHR’s IT system.

Active Directory is built into most Windows Server operating systems and has become the popular approach in managing Windows domain networks. As Active Directory is used in connecting different computers within a network, this has become a prime target of attackers as well.

A senior U.N. IT official, meanwhile, told The New Humanitarian that approximately 400 GB of data was exfiltrated from the U.N. servers and part of the exfiltrated data was the “user lists”, a key component to the network, which, the source said “once you’ve got privileged access, you’ve got into everything”. The New Humanitarian added that the U.N. confidential report about the cyber-attack found that some administrator accounts were breached.

Lack of Transparency

It’s worthy to note that the cyber-attack at the U.N. in 2019 was only admitted by the organization a few hours after The New Humanitarian exposed the said attack.

The UN spokesperson Dujarric told The New Humanitarian that the reason for the lack of transparency is that the “exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”

In a data breach, the lack of transparency could have negative results as individuals and organizations affected aren’t made aware of the situation, preventing them to seek measures to lessen the impact of the data breach. In Canada, data breach reporting is mandatory under the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit