Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/24/2020
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

WHO Confirms Email Credentials Leak

Washington Post had identified the group as one among several whose passwords and emails were dumped online and abused.

The World Health Organization this week disclosed that some 450 active WHO email addresses and passwords were leaked online recently amid a big overall increase in cyberattacks directed at its staff.

WHO is one among several groups working to fight the COVID-19 pandemic that have reportedly had their email addresses and passwords dumped online in recent days by an unknown entity. The others allegedly include the Gates Foundation, the US Centers for Disease Control and Prevention (CDC) and the National Institutes of Health, according to the Washington Post, which cited a report from the SITE Intelligence Group.

Some 25,000 email credentials belonging to these groups have been leaked online in recent days and are being used by far-right extremists and hackers to spread conspiracy theories related to the pandemic, the Post said, citing SITE Intelligence.

WHO is the first among the organizations in the Post report to publicly admit that email addresses and passwords belonging to its staff have been publicly leaked. In a statement, however, the global body said the leaked data does not pose any risk to current WHO systems because the data is not recent. But it does affect an older extranet that is used by current and retired WHO staff and by partners, the global organization said Thursday. "WHO is now migrating affected systems to a more secure authentication system," the statement noted.

WHO did not disclose from where or how attackers might have obtained the email addresses and passwords. But they are most likely from earlier data breaches, according to Colin Bastable, CEO at Lucy Security. "The common 'covid' nature of the organizations targeted strongly suggests that they are old credentials that have been bundled to take advantage of the current virus crisis," Bastable said in emailed comments.

The email credential leak is part of a broader increase in attacks targeting or involving WHO since the beginning of the coronavirus pandemic. According to the world health body, the number of cyberattacks targeting it is now five times more than the number of attacks one year ago. Scammers impersonating WHO staffers are increasingly targeting the general public in campaigns designed to divert donations meant for the COVID-19 Solidarity Response Fund to fictitious accounts, WHO said.

Numerous security vendors have reported a massive increase in phishing and other scams by attackers trying to exploit the global concerns around the pandemic to steal credentials, plant malware, and cause other mayhem. In many cases, adversaries have established malware-laden fake domains designed to take advantage of people looking for information related to the pandemic.

The increase in malicious activity has been so dramatic, in fact, that three Democratic lawmakers earlier this month demanded to know what the major domain name registrars were doing to prevent scammers from registering fake domains with COVID-19 related themes.

In a letter to the CEOs of eight domain registrars, the lawmakers wanted to know what these organizations were doing to establish the legitimacy of people and entities trying to register domains with names related to the pandemic. They also wanted to know what measures domain registrars had for identifying and removing domains that were being used for malicious purposes.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
4/30/2020 | 12:13:58 PM
Wow, more breaches

https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html

Interesting article, it seems that there has been a history of email attacks that have taken place. One question I would ask is why are they still occurring and why are our defenses not working. From line listed ablvoe, it indicates a number of breaches from high-powered companies and government organizations. I do think our security process is broken, we need to start hiring real hackers to help identify the real-issues because what we are doing is not working.

101 Impressive Cybersecurity Statistics: 2020 Data & Market ...

My potential solutions ot the problem:

-> Utilize IPv6 AES256 ESP/AH VPN Site-to-Site and VPN to site as part of the solution (identified 99% of the attacks are from IPv4)

-> MFA/2FA - TOTP works but they have stated that we need to improve that process, we need to add a secured token that is associated with a device that we utilize on a regular basis

-> There needs to be reminders to help address some of these issues or the OS just does it itself with an aspect of self healing built into the system (Kubernetes does a great job of this).

-> Utilize SELinux/Apparmor (this is a solution that acts a sentinel to the OS)

-> Encrypt all traffic in flight and at rest, when it comes to DB traffic, the DB or OS should be intelligent enough to only send the data to the portal or application as opposed to outside the office (Zone 0), there should be some RBAC or Permissions in place that stop the user and notifies the Administrator (2 people should authorize/keys its use like they do with Nuclear facilities)  of what's happening (phone text and email)

-> Integrate Comodo as part of the Windows security solution (this blocks attacks)

-> Education is key but there needs to be test scenarios where people are tested at sporadic times

-> Block Countries from the firewall (PFSense, PaloAlto, Juniper)

-> Make the ISP accountable for bots and extraneous applications that are constantly pinging and checking outside connections, companies like Google, AWS and Microsoft need to be held accountable for sharing information that has been compromised by outside actors (give the public the choice instead of doing it automatically). ISP's can utilize Akamai to create a mesh over their existing network to block potential threats.

-> Add AI and centralize data-collection that is shared amongst firewall, Virus, IDS/IPS vendors, SIEM should be integrated into client/server environments (during the inception of the application, where they tie all of the systems together to create a form of DSNA - Data Security Network Architecture).

Todd

 

 

COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25595
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be ...
CVE-2020-5783
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, the login functionality does not contain any CSRF protection mechanisms.
CVE-2020-11031
PUBLISHED: 2020-09-23
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library c...
CVE-2020-5781
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, the langSelection parameter is stored in the luci configuration file (/etc/config/luci) by the authenticator.htmlauth function. When modified with arbitrary javascript, this causes a denial-of-service condition for all other users.
CVE-2020-5782
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, if a user logs in and sets the ‘wan_type’ parameter, the wan interface for the device will become unreachable, which results in a denial of service condition for devices dependent on this connection.