A hacker managed to upload PDF files in sites known organisms, including World Health Organization (WHO) and UNESCO.
The attack was first reported by Cyberwarzone.com. He takes advantage of some vulnerabilities, which could have been used for more serious attacks, but in this case the incident was not very complicated and fortunately the impact was small.
The PDF files were uploaded by one hacker using the name online m1gh7yh4ck3r. In recent days, the hacker has uploaded files in official sites of UNESCO, the WHO, the Georgia Tech Institute and a Cuban government site.
Georgia Tech and the WHO immediately removed the PDF files uploaded by hacker, which does not apply to the sites of UNESCO and the Government of Cuba.
Representatives of UNESCO told SecurityWeek that they will launch an investigation into the incident.
The PDF files uploaded by hacker are related to online game breaches and account breaches Facebook and Instagram. The files explain how the violations can be done and contain links that are supposed to lead to hacking services and tools. But in reality, lead them users on scammy sites.
Some VirusTotal antivirus programs have detected that some of these PDF files contained trojans.
We do not yet know how the hacker was able to upload the files to the sites of the WHO, UNESCO, etc., but it was probably not a complicated technique. The domains to which the files were uploaded allow users to upload content. The hacker can also took advantage vulnerabilities related to uploading files or bypassing authentication. Especially in the case of UNESCO, access to the login page is easy.
The good thing is that this attack had no serious consequences. This does not mean, however, that more dangerous incidents cannot occur. Being able to upload content to official sites of organizations such as the WHO and UNESCO can be very dangerous. Government hacking groups can take advantage of this to upload content to their advantage. Government hackers often target or "use" such organizations.
For example, since the beginning of the pandemic, state hackers with financial incentives, have sent thousands of malicious emails pretending to be the WHO. A vulnerability like the one exploited by m1gh7yh4ck3r could be particularly useful to them.
Georgia Tech told SecurityWeek that it has identified the source of the problem. The vulnerability has to do with a form on an old site that uses it Drupal CMS and the corresponding Webform module, which by default allows users to upload files to folders that are publicly accessible.
"Downloads that occurred on the chhs server [on the affected GA Tech server] are an example of an attack on incorrectly configured sites. This type of website spam is a bit unusual as well it is not based on weak credentials, nor on outdated software. It is based, on the contrary, on specific configurations of CMS and related modules (OWASP top 10 category "Security Misconfiguration"). For this reason, this type of attack is not easily detected by most existing scanners. We tried to tackle the problem through training and monitoring", Explained a representative of Georgia Tech.
UNESCO also uses Drupal and Webform. So even in this case, the hacker could have uploaded the files this way.
The specific attack By uploading files to WHO and UNESCO sites, it seems to be part of a larger campaign launched this summer, targeting government and university sites.