Vulnerable Database Exposed UN Employees' DataResearchers Identified Flaw in GitHub Repository for UN Environment Program
A vulnerability in a GitHub repository belonging to the United Nations Environment Program exposed over 100,000 employee records, including personally identifiable information, contact details and other sensitive data, according to a group of independent security researchers.
UNEP is responsible for coordinating the U.N.'s environmental activities. Sakura Samurai, a new group of ethical hackers, notes in its report the vulnerabilities stemmed from an endpoint that exposed the GitHub repository's credentials.
"The credentials gave us the ability to download the GitHub repositories, identifying a ton of user credentials and [personally identifiable information]. In total, we identified over [100,000] private employee records," says John Jackson, one of the security researchers in the group.
The analysis also revealed that there were multiple .Git directories on the U.N.-owned web servers called ilo.org.
"The .Git contents could then be exfiltrated with various tools such as 'git-dumper,'" Jackson writes in the report.
After the researchers notified the U.N. about their discovery, the international organization resolved the vulnerability and the GitHub repositories are no longer accessible, Sakura Samurai reports.
A U.N. spokesperson tells Information Security Media Group: "Upon notification of the breach on Jan. 4, the vulnerability was addressed within 12 hours. The breached data includes over 100,000 lines of information, including HR and travel details dating from 2015 to 2018. UNEP is not aware of additional unauthorized access to the information nor any misuse of the data. The dataset does not contain information that could be used to attack any other U.N. data or IT systems."
The researchers also note that, although there is no evidence a threat actor accessed the data, it would have been relatively easy to do so.
The researchers began their operation by taking over a MySQL database and a survey management platform belonging to the U.N.'s International Labor Organization. The group then analyzed the domains in the MySQL database to find UNEP's subdomain, which led them to GitHub credentials.
"Ultimately, once we discovered the GitHub credentials, we were able to download a lot of private password-protected GitHub projects, and within the projects, we found multiple sets of database and application credentials for the UNEP production environment," Jackson notes.
The exposed data included more than 102,000 records of U.N. employees, including workers' identification numbers, names and other sensitive data. Also accessible were more than 7,000 employee nationality records, over 1,000 general employee records, project and funding data and evaluation records of UNEP projects, the report says.
The researchers also note they were able to find credentials for more U.N. GitHub repositories that could have resulted in more unauthorized access to multiple U.N. databases.
"We decided to stop and report this vulnerability once we were able to access [personally identifiable information] that was exposed via database backups that were in the private projects," Jackson writes.
The employee data exposed in the GitHub repository could pose significant cyberthreats for the United Nations.
"The primary concern over the employee data leaked is the usefulness in performing highly targeted, follow-up social engineering attacks, both on the employees themselves as well as any business partners they interact with," says Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.
"The administrative credentials disclosed would have likely been enough to compromise both the vulnerable application as well as other applications that share the same infrastructure or reused the same passwords. An attacker with such access could insert malware into the production applications in an attempt to infect users."
Javvad Malik, security awareness advocate at security firm KnowBe4, says attackers could have used the exposed data.
"Gaining access to potentially sensitive information of employees can be used to leverage attacks against the organization, their colleagues or the individuals themselves via phishing, password resets or identity theft," Malik says.
With the onset of COVID-19, attackers have been spoofing the U.N. and other agencies as part of their campaigns leveraging pandemic themes.
In February, security firms Kaspersky and Sophos reported that hackers were using domains designed to look like the U.S. Centers for Disease Control and Prevention and the U.N.’s World Health Organization for phishing campaigns (see: More Phishing Campaigns Tied to Coronavirus Fears).
In May, "hack-for-hire" groups operating in India spoofed World Health Organization emails to steal credentials from employees at financial services, consulting and healthcare firms around the world, according to Google's Threat Analysis Group (see: WHO Reports 'Dramatic' Increase in Cyberattacks).
Editor's Note: This article was updated to include a statement from the U.N.