UN didn’t patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it, accident waiting to happen

The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants’ fingertips. Incredibly, the organization decided to cover it up without informing those affected nor the public.

[…]

A senior IT official dubbed the attack a “major meltdown,” in which personnel records – as well as contract data covering thousands of individuals and organizations – was accessed. The hackers were able to get into user-management systems and past firewalls; eventually compromising over 40 servers, with the vast majority at the European headquarters in Geneva.

But despite the size and extent of the hack, the UN decided to keep it secret. Only IT teams and the heads of the stations in question were informed.

[…]

Employees whose data was within reach of the hackers were told only that they needed to change their password and were not informed that their personal details had been compromised. That decision not to disclose any details stems from a “cover-up culture” the anonymous IT official who leaked the internal report told the publication.

The report notes it has been unable to calculate the extent of damage but one techie – it’s not clear it is the same one that leaked the report – estimated that 400GB had been pulled from United Nations servers.

Most worrying is the fact the UN Office of the High Commissioner for Human Rights (OHCHR) was one of those compromised. The OHCHR deals with highly sensitive information from people who put their lives at risk to uncover human rights abuses.

Making matters worse, IT specialists had warned the UN for years that it was at risk from hacking. An audit in 2012 identified an “unacceptable level of risk,” and resulted in a restructure that consolidated servers, websites, and typical services like email, and then outsourced them to commercial providers at a cost of $1.7bn.

But internal warnings about lax security continued, and an official audit in 2018 was full of red flags. “The performance management framework had not been implemented,” it stated, adding that there were “policy gaps in areas of emerging concern, such as the outsourcing of ICT services, end-user device usage, information-sharing, open data and the reuse and safe disposal of decommissioned ICT equipment.”

There were lengthy delays in security projects, and, internally, departments were ignoring compliance efforts. The audit “noted with concern” that 28 of the 37 internal groups hadn’t responded at all and that over the nearly 1,500 websites and web apps identified only a single one had carried out a security assessment.

The audit also found that less than half of the 38,105 staff had done a compulsory course in basic IT security that had been designed to help reduce overall security risks. In short, this was an accident waiting to happen, especially given the UN’s high-profile status.

As to the miscreants’ entry point, it was a known flaw in Microsoft SharePoint (CVE-2019-0604) for which a software patch had been available for months yet the UN had failed to apply it.

The hole can be exploited by a remote attacker to bypass logins and issue system-level commands – in other words, a big problem from a security standpoint. The hackers broke into a vulnerable SharePoint deployment in Vienna and then, with admin access, moved within the organization’s networks to access the Geneva headquarters and then the OHCHR.

[…]

Source: UN didn’t patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it • The Register