Security researchers revealed today that it took them just hours to access over 100,000 personal records and credentials belonging to United Nations employees.
A team from Sakura Samurai had decided to look for bugs to report to the UN under its vulnerability disclosure program, first probing multiple endpoints that were in scope.
It initially found an exposed subdomain for UN body the International Labour Organization (ILO), according to Sakura Samurai founder John Jackson. This gave them access to Git credentials which they used to takeover a legacy MySQL database and a survey management platform. Exfiltration of these credentials was done with the git-dumper tool.
Although these assets contained “hardly anything of use,” the researchers then discovered an exposed subdomain related to the United Nations Environment Programme (UNEP), which was a much bigger privacy risk. The domain was also leaking Git credentials.
“Ultimately, once we discovered the GitHub credentials, we were able to download a lot of private password-protected GitHub projects and within the projects we found multiple sets of database and application credentials for the UNEP production environment,” Jackson explained.
“In total, we found seven additional credential pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via database backups that were in the private projects.”
In total, the team discovered over 100,000 employee records including names, ID numbers, gender, pay grade, records of travel details, work sub-areas and departments, evaluation reports and funding source records.
The UN is a frequent target for nation state attackers and its cybersecurity has often been found wanting in the past.
A year ago it emerged that hundreds of gigabytes of internal data, potentially including highly sensitive information on human rights activists, had been stolen in 2019 by attackers.
Controversially, the organization itself appeared to use its diplomatic immunity to keep the incident a secret.
Fortunately, this time around the UN is believed to have quickly patched the vulnerabilities in question and secure the exposed data.