Hackers pay $1,000 for account passwords on the dark web to carry out cyber attacks on the UN

Hackers reportedly bought the username and password for a UN employee's stolen project management software Umoja on the dark web for $1,000 and collected valuable information between April and August of this year.

A report revealed by Bloomberg over the weekend revealed that the attackers' goal was not to compromise the system or demand a ransom, but to collect vital information about government and humanitarian work. Stéphane Dujarric, a spokesman for the UN secretary-general, confirmed the report and said the attack took place in April.

The attack was discovered before we were notified by the companies mentioned in the Bloomberg article and corrective measures were taken to mitigate the impact of the breach," Dujarric said in a statement posted on the UN website. The United Nations is often the target of cyber attacks, including ongoing attack campaigns. We can also confirm that further attacks have been identified and are being responded to that are related to the previous vulnerability."

According to Bloomberg, the intrusion does not appear to be sophisticated, with the hackers gaining access using the usernames and passwords of stolen UN employees purchased from the dark web. These credentials belonged to an account on the UN management software Umoja, from where the attackers were able to gain deeper access to the network. The hackers reportedly first gained access to the system on 5 April and were still active on the network as of 7 August.

Mark Arena, chief executive of security intelligence firm Intel471, said, "Since the beginning of 2021, we have seen multiple financially motivated cybercriminals selling access to the Umoja system run by the United Nations." He noted that the passwords used in the attack were sold on the dark web by Russians, who sold usernames and passwords for dozens of different organisations at the same time, for as little as $1,000 each.

As previously noted, the UN and its agencies have been the target of cyber attacks before, and in 2019, Forbes magazine reported that the UN's core infrastructure had been compromised in a cyber attack that exploited vulnerabilities in the Microsoft SharePoint platform, information that was officially confirmed only a few months later. Earlier this year, it was reported that a vulnerability in the system, which allowed access to more than 100,000 employee records of the United Nations Environment Programme (UNEP), was discovered and patched before any damage could be done.

Mike Newman, CEO of My1Login, said: "This cyber attack on the UN shows just how valuable stolen credentials can be to criminals, giving them access to important and often confidential information. Criminals can gather valuable information from the UN over a period of more than five months."

Newman said, "This should be a stark warning to all organisations - passwords remain a key entry point for criminals to carry out cyber attacks. To reduce the risk posed by passwords, organisations need to move to passwordless authentication - a solution that reduces the need for large numbers of passwords in the first place, while also reducing the responsibility of employees and allowing organisations to re-secure their work."

Steve Forbes, government cyber security expert at Nominet, said the leak of UN data was worrying not only because of its potential to be used for future cyber attacks, but also because it highlights the ongoing blind spots organisations may have in using third-party software in the following situations.

The fact that attackers were able to use stolen UN credentials to break into software solutions underlines the importance of getting cyber security right at the highest level," Forbes said. Organisations need to have a complete and comprehensive overview of the third-party software they use and that they are configured to the same level of security as their own internal systems. Identity access management should cover their entire asset, not just their own network, but also all their third-party SaaS software, so they can be confident that any data stored in these applications is safe and secure. They should also regularly assess the type of data stored in these applications and its risk of being compromised."