Blog - Rencore

UN SharePoint Hack. Should I worry?

Written by Liam Cleary | Feb 19, 2020 2:00:54 PM

I assume by now that you are aware of the United Nations (U.N.) hack. The attackers are estimated to have retrieved 400 GB of sensitive data. The interesting problem with this attack is that the details are still very vague, and to make it worse, the U.N. tried to hide the fact it ever happened.

Stéphane Dujarric, the spokesperson for the UN Secretary-General, stated:

“Attempts to attack the UN IT infrastructure happen often. The attribution of any IT attack remains very fuzzy and uncertain. So, we are not able to pinpoint any specific potential attacker, but it was, from all accounts, a well‑resourced attack.“

However, Ben Parker, who is with the Thew New Humanitarian, said:

“Although it is unclear what documents and data the hackers obtained in the 2019 incident, the report… implies that internal documents, databases, emails, commercial information, and personal data may have been available to the intruders – sensitive data that could have far-reaching repercussions for staff, individuals, and organizations communicating with and doing business with the U.N.“

The hackers targeted a total of 42 servers, compromising the Active Directory domains of U.N. offices in Geneva and Vienna. These locations employ around 4,000 staff; however, Geneva was the hardest hit, with 33 servers compromised.

The breach itself stemmed from a flaw within Microsoft SharePoint Server. It was a well-known vulnerability already identified as “CVE-2019-0604.” This vulnerability affects SharePoint Server 2010, 2013, 2016, and 2019. The good news, however, is that patches are available and have been for a LONG time.

SharePoint Foundation 2010 SP2

https://support.microsoft.com/en-us/help/4461630/description-of-the-security-update-for-sharepoint-foundation-2010-febr

SharePoint Server 2010 SP2

https://support.microsoft.com/en-us/help/4462184/description-of-the-security-update-for-sharepoint-server-2010-march-12

https://support.microsoft.com/en-us/help/4461630/description-of-the-security-update-for-sharepoint-foundation-2010-febr

SharePoint Server 2013 SP1

https://support.microsoft.com/en-us/help/4462202/description-of-the-security-update-for-sharepoint-enterprise-server

https://support.microsoft.com/en-us/help/4462143/description-of-the-security-update-for-sharepoint-foundation-2013

SharePoint Enterprise Server 2016

https://support.microsoft.com/en-us/help/4462211/description-of-the-security-update-for-sharepoint-enterprise-server

SharePoint Server 2019

https://support.microsoft.com/en-us/help/4462199/description-of-the-security-update-for-sharepoint-server-2019-march-12

The breach itself came after the U.N. completed an audit back in 2018. The security audit identified many problems with their systems. The review identified 200+ servers running obsolete or unsupported technology such as Windows Server 2000. The most interesting observation from the audit is the fact that the organization had shifted to self-certification for website and web application security, leaving it up to individual offices to confirm that they had applied updates to web-based systems.

If you look at the dates of the released patches for SharePoint Server, you can see these are from February and March of 2019. To learn a little more about this attack, I wrote a blog post for Rencore last year that talks about this type of attack: Critical Vulnerabilities within SharePoint Server

What is the lesson learned?

Patch, Patch, and Patch!! That is it. There is no excuse, in reality, to not patch servers with Security updates. Of course, first, read the details of the update and then determine when to patch.

If you are running Office 365, or planning to move to the cloud, and would like to brush up on your security protocols, check out this free Whitepaper by Jethro Seghers on how to improve security utilizing Office 365 Secure Score.

This blog post was originally posted on Liam’s blog