According to a confidential report, dozens of servers were compromised in the cyberattack on the UN through famous vulnerability in SharePoint.
On Wednesday, January 29, UN officials reported that in the middle of last year, the organization’s offices in Geneva and Vienna underwent a “well-funded” cyberattack.It is still difficult to say who is behind the attack, but the attack itself was well organized and, obviously, funded. As a result, components of key infrastructure in Geneva and Vienna were compromised, and the attack itself was deemed serious”, – Reuters quotes UN spokesman Stephane Dujarric.
Several UN offices are located in Geneva, including the Human Rights Council, the Office of the High Commissioner for Human Rights, the Office of the High Commissioner for Refugees, the World Health Organization and the World Trade Organization. Vienna hosts the International Atomic Energy Agency and the Office for Drugs and Crime.
According to the Office of the High Commissioner for Human Rights, servers that were compromised by the attackers did not contain any sensitive or confidential data. Hackers managed to break into the Active User Directory, where were stored identification numbers of employees, but they could not steal passwords or gain access to other parts of the system.
Details of the attack are reported in a confidential report, which was reviewed by well-known information security expert Kevin Beaumont.
Beaumont said that the vulnerability CVE-2019-0604 in the Microsoft SharePoint collaboration platform was the entry point for the cyberattack.
SharePoint vulnerability CVE-2019-0604 from a year ago has been used to hack the UN. Three different UN agencies got owned, about 20 domain admin accounts accessed and implants on 40 servers”, — reported Kevin Beaumont in his Twitter.
The vulnerability allows arbitrary code execution in the context of a SharePoint application pool and a SharePoint server account. Microsoft released fixes for it in February, March, and April last year.
Security researcher Markus Wulftange, who discovered it in March 2019, published the first PoC exploit for the vulnerability, and soon on the Web began to appear exploits from other developers. In May 2019, information security experts recorded massive attacks on SharePoint servers.
Attacks on UN humanitarian organizations in Geneva and Vienna took place in mid-July, but were discovered only a month later. The management decided not to inform employees about the compromise of their data and only asked to change passwords. Only employees of IT departments and humanitarian leaders of the UN knew about the attack. Public became aware of the incident only this week.
Attackers entered the computer networks of UN organizations in Vienna through a vulnerable installation of SharePoint, and then, armed with administrator privileges and navigating the network, gained access to systems of organizations in Geneva.
Just the other day it was reported that cryptographer Ryuk attacked the US Department of Defense contractor. Overall, 2019 was a record year for the number of well-funded attacks by government hackers on companies and organizations around the world.