Ethical hackers have uncovered and responsibly disclosed a security vulnerability which allowed them to access the private records of over 100,000 United Nations Environmental Programme (UNEP) Employees.
This is not the first time UN systems have suffered a data breach. In 2019, the UN did not disclose a cyberattack that had severely compromised their networks and databases.
In 2020, a disclosure finally came out from the UN which pinned the blame for the hack on a SharePoint vulnerability.
Increased Geo-Poli-Cyber Risk Exposure on UN and its Employees’ Nations.
“Many UN employees are often high profile government officials in their own home country before joining the UN. Their exposed private data and travel habits have now increased the Geo-Poli-Cyber risk exposure not only on the UN but but also on their respective governments and countries they are citizens of” said an MLi Group Cyber Survivability Expert.
The expert added: ” Many governmental and organizational systems may have had these vulnerabilities in their systems for a while without knowing it. A comprehensive Cyber Survivability and Security audit must be conducted ASAP”. Stakeholders interested in such audits can submit their requests at the end of this post.
In this instance, the ethical hackers have disclosed their findings describing the vulnerability that let them access the private data of over 100,000 United Nations Environment Programme (UNEP) employees.
The data set obtained by the group exposed travel history of UN staff, with each row containing: Employee ID, Names, Employee Groups, Travel Justification, Start and End Dates, Approval Status, Destination, and the Length of Stay.
The documents and screenshots provide extensive details on the nature of this security flaw and all that it exposed.
The researchers were able to dump the contents of these Git files and clone entire repositories from the *.ilo.org and *.unep.org domains using git-dumper.
The .git directory contents comprised sensitive files, such as WordPress configuration files (wp-config.php) exposing the administrator’s database credentials.
Likewise, different PHP files exposed as a part of this data breach contained plaintext database credentials associated with other online systems of the UNEP and UN ILO.
In addition, the publicly accessible .git-credentials files enabled the researchers to get their hands on UNEP’s source code base as well.
Exfiltrated Data of Over 100,000 Employees.
Using these credentials, researchers were able to exfiltrate the private information of over 100,000 employees from multiple UN systems.
It is not surprising how the ethical hackers were able to access such sensitive data within just a few hours.
They found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases. .
Although the UNEP thanked the ethical hackers for their vulnerability report and stated that their DevOps team had taken immediate steps to patch the vulnerability and that an impact assessment of this vulnerability was in progress, the UNEP also stated that a data breach disclosure notice was in the works but that it was “challenging as we have not done this before.”
Survivability News strongly recommends conducting an MLi Cyber Survivability and Security Audit.