Today, researchers have revealed a security vulnerability by exploiting which they could access more than 100,000 private worker records of United Nations Environmental Program (UNEP). 

The information breach originated from Git directories and credentials, which permitted the researchers to clone Git stores and gather a lot of actually recognizable data of personally identifiable information (PII) related to over 100k workers. 

Git Directory exposes WordPress DB and Git credentials

Ethical hacking and security research Company Sakura Samurai have now uncovered this vulnerability that lets them access the private information of more than 100,000 United Nations Environment Program (UNEP) representatives. 

The reports and screenshots Shared to give broad and detailed Information on the idea of this security vulnerability and all that is uncovered/exposed. 

Having gone over the United Nation’s Vulnerability Disclosure Program and InfoSec Hall of Fame, specialists Jackson Henry, Nick Sahler, John Jackson, and Aubrey Cottle of Sakura Samurai set out to chase for any security vulnerability affecting UN frameworks. 

They at that point ran over uncovered Git directories (.git) and Git credential files records (.git-certifications) on domains related to the UNEP and United Nation’s International Labor Organization (ILO). 

The analysts had the option to dump the substance of these Git records and clone whole storehouses from the *.ilo.org and *.unep.org areas utilizing git-dumper

The .git directory Content involves sensitive records, for example, WordPress configuration files and documents (wp-config.php) Exposes the admin’s information and database credentials.

Similarly, unique PHP documents exposed as a part of this information penetrate contained plaintext information database credentials related to other online frameworks of the UNEP and UN ILO. 

In addition, the publicly accessible .git-credentials files enabled the researchers to get their hands on UNEP’s source code base.

Exfiltrated data of over 100,000 employees

Using these credentials, researchers were able to exfiltrate the private information of over 100,000 employees from multiple UN systems.

The data set obtained by the group exposed travel history of UN staff, with each row containing: Employee ID, Names, Employee Groups, Travel Justification, Start and End Dates, Approval Status, Destination, and the Length of Stay.

Exposed UN employee travel history
UN employee travel history (100k+ records) exfiltrated by researchers
Source: Sakura Samurai

Likewise, other UN databases accessed by the researchers as a part of their analysis exposed HR demographic data (nationality, gender, pay grade) on thousands of employees, project funding source records, generalized employee records, and employment evaluation reports.

HR demographic data redacted
Redacted HR demographic data of 7,000+ UN employees
Source: Sakura Samurai 

In an email interviewthe group said:

“When we started researching the UN, we didn’t think it would escalate so quickly. Within hours, we already had sensitive data and had identified vulnerabilities. Overall, in less than 24 full hours we obtained all of this data,” Sakura Samurai told.

“In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases.

We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects,” state the researchers in their blog post.

Threat actors likely already accessed the data

The researchers shared a series of emails that showed they had originally reported the vulnerability to the UN privately on January 4th, 2021.

UN Office of Information and Communications Technology (OICT) initially acknowledged their report, but, without realizing the vulnerability concerned UNEP, responded:

“The reported vulnerability does not pertain to the United Nations Secretariat, and is for ILO (International Labour Organization),” according to the emails seen by Us, and something the UN is known to do in the past.

Eventually, consistent with these emails, Saiful Ridwan, Chief of Enterprise Solutions of UNEP thanked the researchers for their vulnerability report while stating that their DevOps team had taken immediate steps to patch the vulnerability which an impression assessment of this vulnerability was ongoing.

Further, during a follow-up email seen by Us, UNEP stated that a knowledge breach disclosure notice was within the works but that it had been “challenging as we’ve not done this before.”

Overall, the researchers told, United Nations was quick to patch this security issue within under every week.

“Honestly, I commend Saiful for the fast fixes. albeit he stated that this was fairly new him, they patched in record speed and secured the info .”

“At now, our only concern is informing the affected users. Particularly, Aubrey Cottle A.K.A. Kirtaner had noted that if it had been this easy to get the info, threat actors likely have already got the info .”

“The group was in agreement that the UNEP should analyze the trajectory of the exposed PII to work out what percentage threat actors, if any, have the info,” Sakura Samurai founder John Jackson told.

This is not the primary time UN systems have suffered a knowledge breach.

In 2019, the UN didn’t disclose a cyberattack that had severely compromised their networks and databases.

In 2020, a disclosure finally came out from the UN which pinned the blame for the hack a SharePoint vulnerability.

Priyanshu Vijayvargiya

Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a Reply

Your email address will not be published. Required fields are marked *