Thursday, September 23, 2021

Researchers Disclosed a security vulnerability in UNEP that affects 100k staff records

Must Read

TikTok patches reflected XSS bug, one-click account takeover exploit

TikTok has patched a reflected XSS security defect along with a bug leading into account takeover affecting the company's...

Researchers bypass Windows Hello Biometrics Safeguards

Researchers have shown that it is possible to spoof and get through the Windows Hello facial recognition system used...

WAPDropper malware abuses Android devices for WAP fraud

New WAPDropper malware signals users up to premium services supplied from telecoms from Thailand and Malaysia.Security researchers have discovered...

Today, researchers have revealed a security vulnerability by exploiting which they could access more than 100,000 private worker records of United Nations Environmental Program (UNEP). 

The information breach originated from Git directories and credentials, which permitted the researchers to clone Git stores and gather a lot of actually recognizable data of personally identifiable information (PII) related to over 100k workers. 

Git Directory exposes WordPress DB and Git credentials

Ethical hacking and security research Company Sakura Samurai have now uncovered this vulnerability that lets them access the private information of more than 100,000 United Nations Environment Program (UNEP) representatives. 

The reports and screenshots Shared to give broad and detailed Information on the idea of this security vulnerability and all that is uncovered/exposed. 

Having gone over the United Nation’s Vulnerability Disclosure Program and InfoSec Hall of Fame, specialists Jackson Henry, Nick Sahler, John Jackson, and Aubrey Cottle of Sakura Samurai set out to chase for any security vulnerability affecting UN frameworks. 

They at that point ran over uncovered Git directories (.git) and Git credential files records (.git-certifications) on domains related to the UNEP and United Nation’s International Labor Organization (ILO). 

The analysts had the option to dump the substance of these Git records and clone whole storehouses from the * and * areas utilizing git-dumper

The .git directory Content involves sensitive records, for example, WordPress configuration files and documents (wp-config.php) Exposes the admin’s information and database credentials.

Similarly, unique PHP documents exposed as a part of this information penetrate contained plaintext information database credentials related to other online frameworks of the UNEP and UN ILO. 

In addition, the publicly accessible .git-credentials files enabled the researchers to get their hands on UNEP’s source code base.

Exfiltrated data of over 100,000 employees

Using these credentials, researchers were able to exfiltrate the private information of over 100,000 employees from multiple UN systems.

The data set obtained by the group exposed travel history of UN staff, with each row containing: Employee ID, Names, Employee Groups, Travel Justification, Start and End Dates, Approval Status, Destination, and the Length of Stay.

Exposed UN employee travel history
UN employee travel history (100k+ records) exfiltrated by researchers
Source: Sakura Samurai

Likewise, other UN databases accessed by the researchers as a part of their analysis exposed HR demographic data (nationality, gender, pay grade) on thousands of employees, project funding source records, generalized employee records, and employment evaluation reports.

HR demographic data redacted
Redacted HR demographic data of 7,000+ UN employees
Source: Sakura Samurai 

In an email interviewthe group said:

“When we started researching the UN, we didn’t think it would escalate so quickly. Within hours, we already had sensitive data and had identified vulnerabilities. Overall, in less than 24 full hours we obtained all of this data,” Sakura Samurai told.

“In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases.

We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects,” state the researchers in their blog post.

Threat actors likely already accessed the data

The researchers shared a series of emails that showed they had originally reported the vulnerability to the UN privately on January 4th, 2021.

UN Office of Information and Communications Technology (OICT) initially acknowledged their report, but, without realizing the vulnerability concerned UNEP, responded:

“The reported vulnerability does not pertain to the United Nations Secretariat, and is for ILO (International Labour Organization),” according to the emails seen by Us, and something the UN is known to do in the past.

Eventually, consistent with these emails, Saiful Ridwan, Chief of Enterprise Solutions of UNEP thanked the researchers for their vulnerability report while stating that their DevOps team had taken immediate steps to patch the vulnerability which an impression assessment of this vulnerability was ongoing.

Further, during a follow-up email seen by Us, UNEP stated that a knowledge breach disclosure notice was within the works but that it had been “challenging as we’ve not done this before.”

Overall, the researchers told, United Nations was quick to patch this security issue within under every week.

“Honestly, I commend Saiful for the fast fixes. albeit he stated that this was fairly new him, they patched in record speed and secured the info .”

“At now, our only concern is informing the affected users. Particularly, Aubrey Cottle A.K.A. Kirtaner had noted that if it had been this easy to get the info, threat actors likely have already got the info .”

“The group was in agreement that the UNEP should analyze the trajectory of the exposed PII to work out what percentage threat actors, if any, have the info,” Sakura Samurai founder John Jackson told.

This is not the primary time UN systems have suffered a knowledge breach.

In 2019, the UN didn’t disclose a cyberattack that had severely compromised their networks and databases.

In 2020, a disclosure finally came out from the UN which pinned the blame for the hack a SharePoint vulnerability.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

Apple Releases patches for an actively exploited zero-day flaw in ios, macOS

Apple on Monday Release an urgent security patch for iOS,macOS, iPadOS, to address a zero-day flaw that has been actively exploited.Apple has revealed that...

More Articles Like This