United Nations Compromised

Large and small, NGOs to multinationals - similar issues are seen across them all. The United Nations (UN) being no exception. Unpatched servers, overworked staff and undervalued security management, and a continually expanding attack surface create an ever-present, growing risk to all organizations.

2021

The United Nations Office of Information and Communications technology has a Vulnerability Disclosure Program. A Security Research Group made up of independent security experts - Sakura Samurai - was running tests and was able to find 100K+ Employee Records of the United Nations Environmental Programme (UNEP). A misconfigured Apache webserver exposed files linked to a Github Account. These files exposed credentials, and with a little more digging and scanning, the group discovered a subdomain containing credentials for a UN Github account which included 10 more private repositories. These Github repositories were databases, backups, and files with personal information. Full write up by John J Hacking here

2019

According to a confidential UN report discovered by The New Humanitarian, a sophisticated APT attack against the United Nations (UN) began in July 2019 when Hackers broke into dozens of UN servers. The incident remained unreported until The New Humanitarian commenced an investigation in November 2019.

According to the report, the entry point was an unpatched SharePoint Server. The patch had been available for months, cited at CVE-2019-0604.The vulnerability was exploited by the attackers to bypass logins and issue system-level commands. Starting in Vienna and gaining admin access, moved through the UN's networks across to the Geneva HQ followed by the OHCHR.

2007

The attack on the UN Asia Pacific website is believed to originate from the same group responsible for attacks on the US-based Biotechnology Information Organization and the prominent Indian Syndicate Bank.

Attackers found the victim sites by scanning servers and pouncing on the found vulnerabilities. The compromised servers were then used to serve up malicious code to build a botnet.

The financially-motivated incursions, launched from the same remote location, infected a server common to all three websites and downloaded a Trojan to visitor computers via drive-by attacks.

A keylogger and a Trojan were downloaded to visitor computers, flagged by an online scanner as positive to multiple Microsoft vulnerabilities, via hidden Java iFrames which is an old trick to refer visitors to a compromised server.

The Trojan maintains a backdoor, allowing attackers to monitor and hijack user machines to steal valuable user data, and turn the computer into a zombie as part of a botnet horde.

At the time of the attack, Websense Australia and New Zealand country manager, Joel Camissar, said such attacks exploit remote servers with weak security and typically target common brand names to maximise exposure. "...The groups will target ISPs which don't have sufficient security, common brands of servers, and servers in locations without tight controls or law enforcement."

Conclusion

Everyone is a target. Know your attack surface.