In the spring and summer of 2021, hackers stealthily entered the United Nation’s (UN) proprietary project management software, Umoja, accessing the network and stealing critical data to be used in further attacks. “The stolen data from the UN’s network could be used to target agencies within the UN, and already potentially has” according to Stéphane Dujarric, spokesperson for the UN Secretary-General and detailed in this report.
It’s not the UN’s first breach, in January 2020, the operators behind the notorious Emotet malware took aim at the UN through a phishing campaign with the intent of stealing credentials and deliver the TrickBot trojan. That breach ultimately was traced to a Microsoft SharePoint flaw which resulted in 400 GB worth of sensitive data being stolen.
Opportunities for Improvement at the UN
Lack of Two-Factor Authentication
The stolen credentials in the latest attack belonged to an account on the UN’s exclusive project management software, Umoja. The user of the account had not enabled Two-Factor Authentication (2FA), the gold standard for authentication, allowing hackers to use their credentials to access the software and move deeper into the network.
Poor Password Hygiene
Hackers will sometimes ‘Brute Force‘, an account to break in. This is where hacker software attempts millions of different username and password combinations to break into targeted accounts; which may have been the root cause of this UN breach. Brute Force attacks would take hackers years to successfully break into an account that follows CyberHoot’s and NIST 2017 password standards of having unique 14+ character passwords for each account you use. It’s likely the user account breached had weak password hygiene, allowing the hacker to breach their account. There’s no mention of whether the UN leverages a Password Manager, which is critical for strong password hygiene and a staple recommendation from CyberHoot for all businesses to adopt.
The report mentioned that the hackers were inside their systems for a number of months (April-August), which allowed the hacker to move laterally through their systems. The lateral movement on systems within the UN might have been reduced or prevented by following the Principle of Least Privilege. This principle may have prevented this hack with a single UN User’s credentials from installing additional hacking software enabling them to move laterally within the UN’s network. It’s also easily conceivable, that once in, the hacker could find other failure points to exploit and this principle of least privilege might only have slowed down the hacker’s progress. Either way, CyberHoot likes the idea of slowing hackers down and making their lives difficult.
How Can Your Organization Learn from this Event?
First, adopt a Password Manager (LastPass, 1Password) to store your passwords and passphrases. It’s essential that you adopt NIST 2017 Standards (unique, non-expiring, 14+ character password/passphrase) for all your accounts. Using an outdated 9+ character password leaves you at significant risk of compromise, similar to the user at the UN.
Second, it’s also crucial that you have Two-Factor Authentication (2FA) enabled on all possible accounts. If the hacker somehow gets past your username and password, you’ll have your 2FA set up to send a code to your phone via text or authenticator app (LastPass, Google, Microsoft). While hackers can brute force passwords they can’t access your cellphone (not easily anyway) to gain the second factor required for authentication ultimately protecting your accounts using it from compromise.
Third, limit users’ access to and use of administrative privileges. Require all users to operate their desktop environments without admin privileges. Removing admin access from end users can prevent malicious websites from installing software with admin privileges, users from installing potentially dangerous or buggy software, and keeps systems operating more smoothly and effectively.
Fourth, only allows users to access data needed in their daily duties. If the UN followed the Principle of Least Privilege, it may have prevented some of the data involved in this breach from being stolen. When least privilege controls are in place, only a small number of high-level users (C-level executives, Partners, etc.) have access to most of the data in an organization. This significantly reduces the attack surface for hackers to steal data from.
Additional SMB PROTECTIONS
In addition to adopting the three measures above, CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:
- Train employees to spot and avoid email-based phishing attacks
- Test that employees can spot and avoid phishing emails
- Backup data using the 3-2-1 method
- Perform a risk assessment every two to three years
- Ensure your patch management solution is working effectively (in the earlier breach at the UN, a Microsoft Sharepoint server was exploited while a patch was available)
- Hire a professional virtual Chief Information Security Officer (vCISO) to advise, guide, and build out your cybersecurity program at a fraction of the cost of hiring a full-time cybersecurity employee.