How to Scale End-to-End Observability in AWS Environments

The United Nations Suffers a Data Breach, Exposing 100,000 Employee Details

Jan. 14, 2021, 9:05 a.m.

TL;DR

A security vulnerability was realized in the United Nations system by a set of security specialists and researchers where they could access the personal records of over 100,000 employees of the United Nations Environmental Programme(UNEP). The breach was stemmed from an exposed Git Directory and credentials which could be cloned externally and large amounts of information could be extracted without hassles.

The UN responded to the reports and drastic steps were taken to keep the system secured, nevertheless, there is a possibility that cybercriminals may have also been able to gain access to UN employees

Key Facts

1
The researchers found an exposed subdomain of the International Labour Organization (ILO) and this allowed them to access Git Credentials.
2
The personal information exfiltrated from the United Nation systems were travel histories of 100,000 employees.
3
The vulnerability of the system was reported on January 4th, 2021 to the ICT department and they thanked the researchers for the job well done.
4
The .git directory contained sensitive files that exposed the administrator’s database credentials
5
United Nations took the security threat seriously and was quick to patch the issue within a week

Details

Security researchers have discovered a vulnerability in the United Nations system where they were able to exploit details of 100,000 employees. The researchers’ group is called Sakura Samurai and the discovery members include Jackson Henry, Nick Sahler, John Jackson, and Aubrey Cottle.

This action was done as a result of the Vulnerability Program organized by the UN to study their system and report any loopholes and vulnerabilities. While doing this, the group came across exposed git directories and credential files on domains associated with the International Labour Organization and UNEP. But the group was able to dump the files discovered and cloned the entire git repository using git-dumper. The security researchers were able to find a Git-credential file on one of the UN domains, allowing them to gain access to the whole Git repository, then to the database credentials stored on the WordPress configuration file “wp-confing.php”.

Wp-config.php file found in the exposed git directory. (Image source: https://johnjhacking.com/blog/unep-breach/)

Some of the PHP files discovered in the breach contained plaintext database credentials that are associated with outer online systems of both the UNEP and UN ILO. Also, the publicly accessible .git-credentials files gave the researchers access to UNEP's source codebase.

Ultimately, the research group was able to exploit the travel history of UN staff, employee IDs, names, groups, travel details, dates, destination, length of stay, and other related details. As the group went further in the research they also came across demographic data, nationality, gender, payroll on a lot of employees, and even project funding records, employment evaluation details, and other related information. Sakura Samurai, the research group, reported the issue to the UN as thus

“Ultimately, once we discovered the GitHub credentials, we were able to download a lot of private password-protected GitHub projects and within the projects, we found multiple sets of database and application credentials for the UNEP production environment. In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects”.

Fortunately, the UN responded to the reports and drastic steps were taken to keep the system secured, nevertheless, there is a possibility that cybercriminals may have also been able to gain access to UN employees but at least the system security is being double-checked to avoid real-time wrongful access. Although the UN has concerns with how they will break the news to the concerned users whose information has been exposed.

Ultimately, once we discovered the GitHub credentials, we were able to download a lot of private password-protected GitHub projects and within the projects we found multiple sets of database and application credentials for the UNEP production environment. In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects.
John Jackson
Founder, Sakura Samurai (https://johnjhacking.com/blog/unep-breach/)