[BreachExchange] United Nations data breach exposed over 100k UNEP staff records

[Destry Winant]

https://www.bleepingcomputer.com/news/security/united-nations-data-breach-exposed-over-100k-unep-staff-records/

Today, researchers have responsibly disclosed a security vulnerability
by exploiting which they could access over 100,000 private employee
records of United Nations Environmental Programme (UNEP).

The data breach stemmed from exposed Git directories and credentials,
which allowed the researchers to clone Git repositories and gather a
large amount of personally identifiable information (PII) associated
with over 100k employees.

Git directory exposed WordPress DB and Git credentials

Ethical hacking and security research group Sakura Samurai have now
disclosed their findings on a vulnerability that let them access the
private data of over 100,000 United Nations Environment Programme
(UNEP) employees.

The documents and screenshots shared with BleepingComputer provide
extensive details on the nature of this security flaw and all that it
exposed.

Having come across the United Nation's Vulnerability Disclosure
Program and InfoSec Hall of Fame, researchers Jackson Henry, Nick
Sahler, John Jackson, and Aubrey Cottle of Sakura Samurai set out to
hunt for any security flaws impacting UN systems.

They then came across exposed Git directories (.git) and Git
credential files (.git-credentials) on domains associated with the
UNEP and United Nation's International Labour Organization (ILO).

The researchers were able to dump the contents of these Git files and
clone entire repositories from the *.ilo.org and *.unep.org domains
using git-dumper.

The .git directory contents comprised sensitive files, such as
WordPress configuration files (wp-config.php) exposing the
administrator's database credentials.

WordPress configuration file found within exposed .git directory on UN domains
Source: Sakura Samurai

Likewise, different PHP files exposed as a part of this data breach
contained plaintext database credentials associated with other online
systems of the UNEP and UN ILO.

In addition, the publicly accessible .git-credentials files enabled
the researchers to get their hands on UNEP's source code base.

Exfiltrated data of over 100,000 employees

Using these credentials, researchers were able to exfiltrate the
private information of over 100,000 employees from multiple UN
systems.

The data set obtained by the group exposed travel history of UN staff,
with each row containing: Employee ID, Names, Employee Groups, Travel
Justification, Start and End Dates, Approval Status, Destination, and
the Length of Stay.

UN employee travel history (100k+ records) exfiltrated by researchers
Source: Sakura Samurai

Likewise, other UN databases accessed by the researchers as a part of
their analysis exposed HR demographic data (nationality, gender, pay
grade) on thousands of employees, project funding source records,
generalized employee records, and employment evaluation reports.

Redacted HR demographic data of 7,000+ UN employees
Source: Sakura Samurai

In an email interview with BleepingComputer, the group said:

"When we started researching the UN, we didn't think it would escalate
so quickly. Within hours, we already had sensitive data and had
identified vulnerabilities. Overall, in less than 24 full hours we
obtained all of this data," Sakura Samurai told BleepingComputer.

"In total, we found 7 additional credential-pairs which could have
resulted in unauthorized access of multiple databases. We decided to
stop and report this vulnerability once we were able to access PII
that was exposed via Database backups that were in the private
projects," state the researchers in their blog post.

Threat actors likely already accessed the data

The researchers shared a series of emails with BleepingComputer that
showed they had originally reported the vulnerability to UN privately
on January 4th, 2021.

UN Office of Information and Communications Technology (OICT)
initially acknowledged their report, but, without realizing the
vulnerability concerned UNEP, responded:

"The reported vulnerability does not pertain to the United Nations
Secretariat, and is for ILO (International Labour Organization),"
according to the emails seen by BleepingComputer, and something the UN
is known to do in the past.

Eventually, according to these emails, Saiful Ridwan, Chief of
Enterprise Solutions at UNEP thanked the researchers for their
vulnerability report while stating that their DevOps team had taken
immediate steps to patch the vulnerability and that an impact
assessment of this vulnerability was in progress.

Further, in a follow-up email seen by BleepingComputer, UNEP stated
that a data breach disclosure notice was in the works but that it was
"challenging as we have not done this before."

Overall, the researchers told BleepingComputer, United Nations was
quick to patch this security issue within under a week.

"Honestly, I commend Saiful for the quick fixes. Even though he stated
that this was fairly new to him, they patched in record speed and
secured the data."

"At this point, our only concern is informing the affected users.
Particularly, Aubrey Cottle A.K.A. Kirtaner had noted that if it was
this easy to obtain the data, threat actors likely already have the
data."

"The group was in agreement that the UNEP should analyze the
trajectory of the exposed PII to determine how many threat actors, if
any, have the data," Sakura Samurai founder John Jackson told
BleepingComputer.

This is not the first time UN systems have suffered a data breach.

In 2019, the UN did not disclose a cyberattack that had severely
compromised their networks and databases.

In 2020, a disclosure finally came out from the UN which pinned the
blame for the hack on a SharePoint vulnerability.