Ethical hackers accessed over 100,000 UN employee records in a Git data breach

Investigators from the ethical hacking and security research group Sakura Samurai accessed more than 100,000 records of private employees belonging to the United Nations Environment Program (UNEP). The data breach was caused by exposed Git credentials and directories, granting researchers access to code files containing SQL database administrator login credentials associated with the international body.

Related Articles

The researchers cloned the exposed Git files and dumped the organizations database, suggesting that other threat actors might have accessed the data as well.

UNEP employee logs data breach attributed to incorrect Git configuration

Researchers accessed large amounts of UNEP employee records containing personally identifiable information (PII) after downloading a Git repository containing Github credentials.

Sakura Samurai’s Aubrey Cottle, Jackson Henry, John Jackson and Nick Sahler drew inspiration from the United Nations Vulnerability Disclosure Program and the InfoSec Hall of Fame to look for potential bugs affecting intergovernmental organization systems. The program enables the public to help the UN protect its information systems.

They discovered insecure Git directories (.git) and Git credential files (.git-credentials) associated with the UNEP and International Labor Organization (ILO) domains.

The researchers managed to dump the contents of the exposed files using git-dumper and cloned the repositories associated with the * and * domains. The cloned sources contained WordPress files, including the setup script (wp-config.php) that contains the database connection credentials. Seven additional credential pairs were exposed in the data breach and could be used to access other online systems.

Samurai researchers used the database’s credentials to filter 100,000 employee records. Although, UNEP claims that the employee records were dated between 2015 and 2018.

Exposed employee records contained UN staff travel history, employee ID, names, employee groups, travel justification, start and end dates, approval status, destination and time. length of stay. Additionally, 7,000 HR demographics, including gender, nationality, and pay grade, were also exposed in the data breach alongside project funding information, widespread employee records, and evaluation reports.

The researchers also managed to take an account control in the survey management platform.

UN responds to data breach

The breach to the UN on January 4, 2021 and the UN Office of Information and Communications Technology (OICT) responded, attributing the vulnerability to the International Labor Organization without realizing that UNEP was also affected. .

Later, UNEP Head of Business Solutions Saiful Ridwan praised the investigators for reporting the data breach, adding that the organization’s DevOps team had patched the vulnerability and that an impact assessment was underway. In addition, UNEP reported that no additional unauthorized access was detected and that the information could not be used to attack UN IT systems.

Regarding the UNEP data breach, Javvad Malik, security awareness advocate at KnowBe4, says that global organizations may have trouble managing data spread across multiple systems.

“It’s easy for organizations, especially global ones, to have data spread across multiple systems and platforms,” ​​says Malik. “Keeping track of all these disparate systems can be challenging enough, and ensuring the proper security settings are in place and credentials are properly managed is key.”

He advises organizations to create a sense of security so that “everyone is aware of the role they have to play in protecting the organization, as it is not something that a security department can do on its own.”

Saryu Nayyar, CEO of Gurucul notes that the Sakura Samurai exhibit from the UNEP Git repository was “another classic example of the consequences of unintentional misconfiguration.”

He commends the UN IT team for quickly closing the loophole, but insists that threat actors may have “already discovered the vulnerable data and acquired it themselves.”

#Security researchers accessed more than 100,000 UN employee records in a Git #databreach that originated from repositories associated with the UNEP and ILO domains. #respectdata

Click to tweet

“This shows that even multinationals with mature cybersecurity practices are not immune to this type of misconfiguration, and points to the need for regular configuration reviews along with a comprehensive security stack that includes security analysis to identify and remediate these vulnerabilities before threat actors can discover them. ”Nayyar concludes.


Leave a Reply

Your email address will not be published. Required fields are marked *