Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/24/2020
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

WHO Confirms Email Credentials Leak

Washington Post had identified the group as one among several whose passwords and emails were dumped online and abused.

The World Health Organization this week disclosed that some 450 active WHO email addresses and passwords were leaked online recently amid a big overall increase in cyberattacks directed at its staff.

WHO is one among several groups working to fight the COVID-19 pandemic that have reportedly had their email addresses and passwords dumped online in recent days by an unknown entity. The others allegedly include the Gates Foundation, the US Centers for Disease Control and Prevention (CDC) and the National Institutes of Health, according to the Washington Post, which cited a report from the SITE Intelligence Group.

Some 25,000 email credentials belonging to these groups have been leaked online in recent days and are being used by far-right extremists and hackers to spread conspiracy theories related to the pandemic, the Post said, citing SITE Intelligence.

WHO is the first among the organizations in the Post report to publicly admit that email addresses and passwords belonging to its staff have been publicly leaked. In a statement, however, the global body said the leaked data does not pose any risk to current WHO systems because the data is not recent. But it does affect an older extranet that is used by current and retired WHO staff and by partners, the global organization said Thursday. "WHO is now migrating affected systems to a more secure authentication system," the statement noted.

WHO did not disclose from where or how attackers might have obtained the email addresses and passwords. But they are most likely from earlier data breaches, according to Colin Bastable, CEO at Lucy Security. "The common 'covid' nature of the organizations targeted strongly suggests that they are old credentials that have been bundled to take advantage of the current virus crisis," Bastable said in emailed comments.

The email credential leak is part of a broader increase in attacks targeting or involving WHO since the beginning of the coronavirus pandemic. According to the world health body, the number of cyberattacks targeting it is now five times more than the number of attacks one year ago. Scammers impersonating WHO staffers are increasingly targeting the general public in campaigns designed to divert donations meant for the COVID-19 Solidarity Response Fund to fictitious accounts, WHO said.

Numerous security vendors have reported a massive increase in phishing and other scams by attackers trying to exploit the global concerns around the pandemic to steal credentials, plant malware, and cause other mayhem. In many cases, adversaries have established malware-laden fake domains designed to take advantage of people looking for information related to the pandemic.

The increase in malicious activity has been so dramatic, in fact, that three Democratic lawmakers earlier this month demanded to know what the major domain name registrars were doing to prevent scammers from registering fake domains with COVID-19 related themes.

In a letter to the CEOs of eight domain registrars, the lawmakers wanted to know what these organizations were doing to establish the legitimacy of people and entities trying to register domains with names related to the pandemic. They also wanted to know what measures domain registrars had for identifying and removing domains that were being used for malicious purposes.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
4/30/2020 | 12:13:58 PM
Wow, more breaches

https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html

Interesting article, it seems that there has been a history of email attacks that have taken place. One question I would ask is why are they still occurring and why are our defenses not working. From line listed ablvoe, it indicates a number of breaches from high-powered companies and government organizations. I do think our security process is broken, we need to start hiring real hackers to help identify the real-issues because what we are doing is not working.

101 Impressive Cybersecurity Statistics: 2020 Data & Market ...

My potential solutions ot the problem:

-> Utilize IPv6 AES256 ESP/AH VPN Site-to-Site and VPN to site as part of the solution (identified 99% of the attacks are from IPv4)

-> MFA/2FA - TOTP works but they have stated that we need to improve that process, we need to add a secured token that is associated with a device that we utilize on a regular basis

-> There needs to be reminders to help address some of these issues or the OS just does it itself with an aspect of self healing built into the system (Kubernetes does a great job of this).

-> Utilize SELinux/Apparmor (this is a solution that acts a sentinel to the OS)

-> Encrypt all traffic in flight and at rest, when it comes to DB traffic, the DB or OS should be intelligent enough to only send the data to the portal or application as opposed to outside the office (Zone 0), there should be some RBAC or Permissions in place that stop the user and notifies the Administrator (2 people should authorize/keys its use like they do with Nuclear facilities)  of what's happening (phone text and email)

-> Integrate Comodo as part of the Windows security solution (this blocks attacks)

-> Education is key but there needs to be test scenarios where people are tested at sporadic times

-> Block Countries from the firewall (PFSense, PaloAlto, Juniper)

-> Make the ISP accountable for bots and extraneous applications that are constantly pinging and checking outside connections, companies like Google, AWS and Microsoft need to be held accountable for sharing information that has been compromised by outside actors (give the public the choice instead of doing it automatically). ISP's can utilize Akamai to create a mesh over their existing network to block potential threats.

-> Add AI and centralize data-collection that is shared amongst firewall, Virus, IDS/IPS vendors, SIEM should be integrated into client/server environments (during the inception of the application, where they tie all of the systems together to create a form of DSNA - Data Security Network Architecture).

Todd

 

 

COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4035
PUBLISHED: 2020-06-03
In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to...
CVE-2020-13783
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
CVE-2020-13784
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.
CVE-2020-13785
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
CVE-2020-13786
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.