Ethical hacking and security research group Sakura Samurai researchers accessed over 100,000 private employee records belonging to the United Nations Environment Programme (UNEP). The data breach stemmed from exposed Git directories and credentials, granting the researchers access to code files containing SQL databases administrator login credentials associated with the international body.
The researchers cloned the exposed Git files and dumped the organizations’ database, suggesting that other threat actors could also have accessed the data.
UNEP employee records data breach attributed to a Git misconfiguration
The researchers accessed copious amounts of UNEP’s employee records containing personally identifiable information (PII) after dumping a Git repository containing Github credentials.
Sakura Samurai’s Aubrey Cottle, Jackson Henry, John Jackson, and Nick Sahler were inspired by the United Nation’s Vulnerability Disclosure Program and InfoSec Hall of Fame to hunt for potential bugs affecting the intergovernmental organization systems. The program allows the public to assist the UN in securing its information systems.
They discovered unsecured Git directories (.git) and Git credential files (.git-credentials) associated with UNEP and the International Labour Organization (ILO) domains.
The researchers managed to dump the contents of the exposed files using git-dumper and cloned the repositories associated with the *.ilo.org and *.unep.org domains. The cloned sources contained WordPress files, including the configuration script (wp-config.php) containing database connection credentials. Additional seven credential pairs were exposed in the data breach and could be used to access other online systems.
The Samurai researchers used the database credentials to exfiltrate 100,000 employee records. Although, UNEP claims that the employee records were dated between 2015 and 2018.
Exposed employee records contained UN staff’s travel history, employee ID, names, employee groups, travel justification, start and end dates, approval status, destination, and the length of stay. Additionally, 7,000 HR demographic data, including gender, nationality, and pay grade was also exposed in the data breach alongside project funding information, generalized employee records, and evaluation reports.
The researchers also succeeded in performing an account takeover on the Survey Management Platform.
UN responds to the data breach
The breach to the UN on Jan 4, 2021 and the UN Office of Information and Communications Technology (OICT) responded, attributing the vulnerability to the International Labor Organization without realizing that UNEP was also affected.
Later, UNEP Chief of Enterprise Solutions Saiful Ridwan commended the researchers for reporting the data breach adding that the organization’s DevOps team had patched the vulnerability, and an impact assessment was in progress. Additionally, UNEP reported that no additional unauthorized access was detected and that the information could not be used to attack the UN IT systems.
Regarding the UNEP data breach, Javvad Malik, Security Awareness Advocate at KnowBe4, says global organizations may have problems managing data spread across various systems.
“It’s easy for organizations, especially global ones, to have data spread out across various systems and platforms,” Malik says. “Keeping track of all these disparate systems can be challenging enough, and ensuring the right security settings are applied and that credentials are appropriately managed is key.”
He advises organizations to create a sense of security so that “everyone is aware of the role they have to play in securing the organization as it’s not something a security department can do on their own.”
Saryu Nayyar, CEO at Gurucul notes that Sakura Samurai exposure of UNEP’s Git repository was “another classic example of the consequences of an unintentional misconfiguration.”
She commends the UN’s IT team for rapidly closing the loophole but insists that threat actors might have “already discovered the vulnerable data and acquired it themselves.”
“This shows that even multinationals with mature cybersecurity practices are not immune to this kind of misconfiguration, and points out the need for regular configuration reviews along with a full security stack that includes security analytics to identify and remediate these vulnerabilities before threat actors can discover them,” Nayyar concludes.