I assume by now that you are aware of the United Nations (U.N.) hack. The attackers are estimated to have retrieved 400 GB of sensitive data. The interesting problem with this attack is that the details are still very vague, and to make it worse, the U.N. tried to hide the fact it ever happened.
Stéphane Dujarric, the spokesperson for the UN Secretary-General, stated, “Attempts to attack the UN IT infrastructure happen often. The attribution of any IT attack remains very fuzzy and uncertain. So, we are not able to pinpoint any specific potential attacker, but it was, from all accounts, a well‑resourced attack.“
However, Ben Parker, who is with the Thew New Humanitarian, said, “Although it is unclear what documents and data the hackers obtained in the 2019 incident, the report… implies that internal documents, databases, emails, commercial information, and personal data may have been available to the intruders – sensitive data that could have far-reaching repercussions for staff, individuals, and organizations communicating with and doing business with the U.N.“
The hackers targeted a total of 42 servers, compromising the Active Directory domains of U.N. offices in Geneva and Vienna. These locations employ around 4,000 staff; however, Geneva was the hardest hit, with 33 servers compromised.
The breach itself stemmed from a flaw within Microsoft SharePoint Server. It was a well-known vulnerability already identified as “CVE-2019-0604.” This vulnerability affects SharePoint Server 2010, 2013, 2016, and 2019. The good news, however, is that patches are available and have been for a LONG time.
SharePoint Foundation 2010 SP2
SharePoint Server 2010 SP2
SharePoint Server 2013 SP1
SharePoint Enterprise Server 2016
SharePoint Server 2019
The breach itself came after the U.N. completed an audit back in 2018. The security audit identified many problems with their systems. The review identified 200+ servers running obsolete or unsupported technology such as Windows Server 2000. The most interesting observation from the audit is the fact that the organization had shifted to self-certification for website and web application security, leaving it up to individual offices to confirm that they had applied updates to web-based systems.
If you look at the dates of the released patches for SharePoint Server, you can see these are from February and March of 2019. To learn a little more about this attack, I wrote a blog post for Rencore last year that talks about this type of attack.
What is the lesson learned?
Patch, Patch, and Patch!! That is it. There is no excuse, in reality, to not patch servers with Security updates. Of course, first, read the details of the update and then determine when to patch.