Security researchers successfully hacked the United Nations, accessing user credentials and personally identifiable information (PII)–including more than 100,000 private employee and project records—before informing the U.N. about the problem through the organization’s vulnerability disclosure program.
Ethical hackers from the research group Sakura Samurai used a vulnerability in a GitHub directory that exposed WordPress DB and GitHub credentials, allowing access to numerous private records from the U.N.’s Environment Program (UNEP).
Researchers Jackson Henry, Nick Sahler, John Jackson and Aubrey Cottle discovered the vulnerability after the team decided to take a crack at finding an entry for the U.N.’s Vulnerability Disclosure Program and Hall of Fame and eventually identified an endpoint that exposed the credentials, researchers wrote in a blog post.
“The credentials gave us the ability to download the Git repositories, identifying a ton of user credentials and PII,” they wrote. “In total, we identified over 100K+ private employee records. We also discovered multiple exposed .git directories on U.N.-owned web servers [ilo.org], the .git contents could then be exfiltrated with various tools such as ‘git-dumper’.”
Researchers were able to access a significant amount of sensitive U.N. information in their breach, including 102,000 travel records; more than 7,000 records of human resources nationality demographics; more than 1,000 generalized employee records; more than 4,000 project and funding-source records; and evaluation reports of 283 projects.
Data revealed in the records included the names, ID numbers, nationalities, genders, pay grades and a raft of other personal information pertaining to U.N. employees, as well as identification numbers, locations and financing amounts for various UNEP projects, as well as funding sources and other specific details.
In addition to accessing records through the Git-related flaw, researchers “on the lesser side of severity” took over an SQL Database and a Survey Management program belonging to the International Labor Organization (ILO). However, the vulnerabilities “were of little prominence” and the database and platform were “fairly abandoned in nature,” they wrote.
“Nonetheless, a database takeover and admin account takeover on a platform are still critical vulnerabilities,” researchers observed.
Accessing the SQL database also was significant in it was a gateway into the discovery of the GitHub credentials and eventual trove of records, researchers explained in their post. They began their exploration initially by performing subdomain enumeration of all of the domains in scope for the U.N.’s disclosure program, they said.
“During our research, we began to fuzz multiple endpoints with tooling and initially discovered that an ilo.org subdomain had an exposed .git contents,” they wrote. “Utilizing git-dumper [https[://]github[.]com/arthaud/git-dumper] we were able to dump the project folders hosted on the web application, resulting in the takeover of a MySQL database and of survey management platform due to exposed credentials within the code.”
After researchers took over the ILO MySQL database and subsequently performed account takeover on the survey management platform, they began to enumerate other domains/subdomains, they said.
“Eventually, we found a subdomain on the United Nations Environment Programme [sic] that allowed us to discover GitHub credentials after a bit of fuzzing,” researchers wrote.
Ultimately, once they discovered the GitHub credentials, researchers could download a lot of private password-protected GitHub projects and found within them multiple sets of database and application credentials for the UNEP production environment, they said.
“In total, we found seven additional credential-pairs which could have resulted in unauthorized access of multiple databases,” researchers wrote. At that point they decided to stop their work and report the vulnerability.
The U.N. is no stranger to intrusion by hackers, and not merely ethical ones. Last July, hackers breached the U.N. by exploiting a Microsoft SharePoint vulnerability in an apparent espionage operation, reportedly giving the attackers access to an estimated 400 GB of sensitive data. The hack was not disclosed until about six months later.
Then, almost a year ago to the date of the Sakura Samurai disclosure, the operators behind the Emotet malware targeted U.N. personnel in an attack aimed at delivering the TrickBot trojan.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.