Researchers from the Sakura Samurai team revealed on January 11 a vulnerability which allowed them to access more than 24 United Nations Environment Program staff files in less than 100.000 hours (UNEP). The data breach came from exposed Git directories and credentials, which allowed researchers to "clone" Git repositories and collect large amounts of personal information (PII) related to UN officials.
After meeting with the United Nations Vulnerability Disclosure Program and InfoSec Hall of Fame, researchers Jackson Henry, Nick Sahler, John Jackson and Aubrey Cottle of Sakura Samurai began looking for any security bugs that affect systems of the UN. They then located exposed Git (.git) and credentials Git files (.git-credentials) in domains related to UNEP and the International Labor Organization (ILO). Researchers have been able to "steal" the contents of these Git files and clone entire repositories from domains * .ilo.org and * .unep.org using it git-dumper.
The .git directory contains "sensitive" files, such as configuration files WordPress (wp-config.php) which display the administrator database credentials. Similarly, different PHP files that were exposed as part of this data breach contained plain text database credentials associated with other UNEP and ILO web systems. In addition, publicly accessible .git-credentials files allowed researchers to access the source database code of UNEP.
Oh, yeah data which the researchers were able to access contain more than 100.000 files of UN staff. Using these credentials, researchers were able to retrieve more than 100.000 UN staff files from multiple systems.
The data set obtained by the group set out the UN staff travel history, in each row containing: employee ID, names, staff groups, trip justification, start and end dates, approval status, destination and length of stay. Similarly, other UN databases accessed by the researchers exposed human resources (nationality, gender, salary) of thousands of employees, archives of project funding sources, general employee records, and job evaluation reports.
Researchers at Sakura Samurai told BleepingComputer about the project: "When we started researching the UN, we did not think it would develop so quickly. Within a few hours, we had already acquired sensitive data and identified vulnerabilities. In total, in less than 24 full hours we received all this data. In total, we found 7 additional pairs of credentials that could have led to unauthorized access to multiple databases. "We decided to stop and report this vulnerability as soon as we could access PIIs that were exposed through backups of databases in private projects."
Saiful Ridwan, head of corporate solutions at UNEP, thanked the researchers for reporting the vulnerability, saying the DevOps team had taken immediate steps to correct the vulnerability and that an assessment of the impact of the vulnerability was under way. The researchers told BleepingComputer that the United Nations had taken immediate action to alleviate the vulnerability, noting that the only thing they were currently concerned about was informing those affected. In particular, Aubrey Cottle AKA Kirtaner noted that if the data was so easy to obtain, cybercriminals probably already managed to obtain it.
This is not the first time UN systems have been compromised. The organization is a frequent target of cybercriminals. Hundreds of gigabytes of internal data were stolen in 2019, possibly containing highly sensitive information about human rights activists - a fact that became known in 2020. The organization appeared to be using its diplomatic immunity to keep the incident a secret.
This time, however, the UN is believed to have quickly fixed these vulnerabilities and secured the exposed data.