A team of White Hat hackers recently unearthed the personal details of over 100,000 workers of the United Nations Environment Programme (UNEP) after finding the credentials to Git repositories as well as to multiple exposed .git directories on UN owned web servers.
Members of a cyber security research team named Sakura Samurai recently learned that the United Nations had a Vulnerability Disclosure Programme and after deciding to take up the challenge, unearthed the personal records of UNEP employees as well as the credentials to multiple exposed .git directories on UN owned web servers.
It all started when the researchers found an endpoint which exposed the credentials for Git repositories that contained the personal data of UN employees as well as their credentials. The credentials enabled the researchers to download and view detailed travel records of UNEP employees that included employee IDs, employee names, employee groups, start and end dates of travel plans, length of stays, destination, and approval status.
They were also able to download and view additional details of employees such as their nationality, gender, their pay grade, Organisation Work Unit Identification Numbers, Organisation Unit Text Tags, their specific work departments, their email addresses, as well as their evaluation reports.
Via a blog post, the researchers also stated that they were able to takeover a SQL Database and a Survey Management Platform belonging to the International Labour Organisation but didn’t attach much importance to the breach as both the database and the platform were no longer in use and contained very little of real value.
However, after taking over the ILO’s MySQL Databases and the survey management platform, the researchers stmbled upon a subdomain on the United Nations Environment Programme that allowed them to discover Github credentials.
“Once we discovered the GitHub credentials, we were able to download a lot of private password-protected GitHub projects and within the projects we found multiple sets of database and application credentials for the UNEP production environment.
“In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects,” they added.
According to Bleeping Computer which first reported the UNEP breach, Saiful Ridwan, the chief of Enterprise Solutions at UNEP, acknowledged the vulnerability disclosure made by Sakura Samurai and the vulnerability that led to the exposure of Git credentials was patched within a week of the disclosure being made.
Commenting on the exposure of the credentials of Git repositories maintained by UNEP, Paul Bischoff, privacy advocate at Comparitech.com, said that exposing credentials in public Github repositories is a common developer oversight, and cybercriminals routinely scan Github for exposed credentials to steal.
“It’s very likely that cybercriminals accessed the UNEP data before researchers. Developers need to scan their code for credentials before committing it to Github. For additional security, they can avoid creating an access key for the root user, use temporary security credentials instead of long-term access keys, properly configure IAM users, rotate keys periodically, and remove unused keys.
“UN staff should be on the lookout for targeted phishing and scam messages from fraudsters posing as UNEP employees or administrators. Always verify the sender of an email or other message before responding. Never click on links or attachments in unsolicited emails and messages,” he added.