It has been reported that hackers breached the United Nations’ computer networks earlier this year and made off with a trove of data that could be used to target agencies within the intergovernmental organisation. The hackers’ method for gaining access to the UN network appears to be unsophisticated: They likely got in using the stolen username and password of a UN employee purchased off the dark web. The credentials belonged to an account on the UN’s proprietary project management software, called Umoja. From there, the hackers were able to gain deeper access to the UN’s network, according to cybersecurity firm Resecurity, which discovered the breach. The earliest known date the hackers obtained access to the UN’s systems was April 5, and they were still active on the network as of Aug. 7.
Commenting on this, Thomas Richards, principal security consultant at the Synopsys Software Integrity Group, said "Compromised credentials continue to be the most likely entry point into a target organisation’s network. To protect against such attacks, organisations should take proactive steps to enable multi-factor authentication on all externally accessible services and applications. Additionally, there are services that can be used to monitor dark-web sites for breach data including passwords, usernames, and email addresses that are relevant to the organization. These two steps, if implemented, would have made the attack much more difficult to carry out. As a final precaution, organisations should configure their log monitoring and audit tools to alert on any suspicious logins including those outside of normal business hours or from IP addresses that have not been used by that user before."
Tim Erlin, VP of Strategy at Tripwire, added "Stolen credentials continue to be a significant problem and a primary means of gaining initial access to an organisation. While the best possible situation is to prevent initial access, it’s clear that organisations need to do more to detect the attackers activities once they’ve gained an initial foothold. Monitoring systems for unauthorised changes is one way to identify suspicious activities that might fly under the radar of other tools. With the increase in ransomware lately, we’re getting used to attackers announcing themselves in order to ask for a ransom. In this case, the attackers wanted to remain undiscovered, and as a result, had access to the compromised systems for at least 5 months. If all it takes to authenticate into your organisation is a username and password, you’re at risk."
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, said "Organisations of all sizes and verticals are continually targeted, so all should take care, in particular, government and other international groups need to be extra vigilant. In many cases, relatively simple and known methods are used by criminals to break into organisations, be that taking advantage of weak passwords, unpatched software or social engineering. A culture of security is important to build so that beyond the right technologies, the right procedures and awareness amongst employees is present to lower the likelihood an attack will be successful."
Paul Bischoff, privacy advocate at Comparitech, concluded "The fact that a high-value target like the UN wasn't using two-factor authentication is very worrying, as it could have easily prevented the attack. 2FA would have required the hacker to enter a one-time password sent to the account holder's authenticator app, phone number, or email (preferably the first one). The report suggests that Umoja moved to Microsoft Azure infrastructure and now supports multi-factor authentication. I sure hope the UN implements it, because cybersecurity experts have strongly recommended 2FA for many years to prevent credential abuse. Even better, they could use physical security keys or even biometric authentication to replace passwords altogether."