A data breach has been discovered in the United Nations which exposed over 100k of UNEP’s staff records. Researchers with Sakura Samurai, an ethical hacking and research group, discovered the records were accessible through the UN’s Vulnerability Disclosure Program. The data accessible included administrator database credentials, employee ID’s, name’s, travel justifications, start and end dates, as well as their HR demographic data.
7 Responses
<p>Usually when you talk about hacking, you talk about vulnerabilities, which are flaws in software, and we talk about configurations or the human element. In this case, the flaws we see are all related to users configuring those servers leaving files exposed and software misconfigured. Those are flaws in usage, not flaws in software. It is in parts further concerning as those systems were internet exposed, and in turn, held credentials for other systems. With access to some of the indicated information and the simplicity of the breach, attackers may well have access to this information. It is one of the basic controls any experienced analyst performs against a system they are auditing, yet it is still surprisingly often a rewarding path to take provided the attack surface is sufficiently large, such as a full organization.</p>
<p>It\’s easy for organisations, especially global ones, to have data spread out across various systems and platforms. Keeping track of all these disparate systems can be challenging enough, and ensuring the right security settings are applied and that credentials are appropriately managed is key. </p> <p> </p> <p>While many technologies and processes exist to help secure organisations to prevent these kinds of issues, it is essential that organisations cultivate a culture of security so that everyone is aware of the role they have to play in securing the organisation as it\’s not something a security department can do on their own.</p>
<p>Software is the critical infrastructure that supports organisations of all types. Cybersecurity is important for every organisation, whether they know it or not. </p> <p lang=\"en-US\"> </p> <p lang=\"en-US\">The recent vulnerability found in the United Nations technology infrastructure shows just how easy it is to accidentally expose a large volume of sensitive data. Like any other organisation, the UN needs a top-down approach to cybersecurity, with defined policies for protecting assets and established processes for publishing software. </p> <p lang=\"en-US\"> </p> <p lang=\"en-US\">In this case, the United Nations’ Vulnerability Disclosure Program worked exactly as it should; security researchers located a dangerous vulnerability and the United Nations was able to fix it to prevent any further exploitation. This is a good outcome, but a better path forward would be a proactive approach, in which processes would be put in place to prevent such a vulnerability from ever being exposed in the first place. </p> <p lang=\"en-US\"> </p> <p lang=\"en-US\">A proactive, positive approach to cybersecurity is the best way for organisations to reduce risk and protect their assets.</p>
<p>As it appears likely that bad actors have likely accessed the UN data, UN staff will need to be aware that the bad guys will likely use the information gained in the breach to attempt to use a bit of social engineering to obtain more information or to launch attacks on UN servers. Bad actors may send emails or text messages leveraging the information they have, in order to appear to be legitimate communications from other employees or supervisors.”</p>
<p>Exposing credentials in public Github repositories is a common developer oversight, and cybercriminals routinely scan Github for exposed credentials to steal. Last year, our research team set up a <a href=\"https://www.comparitech.com/blog/information-security/github-honeypot/\" data-saferedirecturl=\"https://www.google.com/url?q=https://www.comparitech.com/blog/information-security/github-honeypot/&source=gmail&ust=1610532318327000&usg=AFQjCNEG-IIBWuuoOCUiNfAF5U-0M2abUg\"> honeypot Github repos</a> containing access credentials to some dummy AWS servers. It took hackers just one minute to find the credentials and break into our honeypot servers. So it\’s very likely that cybercriminals accessed the UNEP data before researchers. Developers need to scan their code for credentials before committing it to Github. For additional security, they can avoid creating an access key for the root user, use temporary security credentials instead of long-term access keys, properly configure IAM users, rotate keys periodically, and remove unused keys.</p> <p> </p> <p>UN staff should be on the lookout for targteted phishing and scam messages from fraudsters posing as UNEP employees or administrators. Always verify the sender of an email or other message before responding. Never click on links or attachments in unsolicited emails and messages.</p>
<p>Our applause to Sakura Samurai’s team – what they did was worthy of it! This was successful because the UN’s vulnerability disclosure policy was transparent – that’s why they decided to look for the vulnerabilities. There was a sense of trust that they would be recognized, not persecuted.</p> <p> </p> <p>Also, it wasn’t well known that the UN has a vulnerability disclosure policy, and that’s ironic as these types of organizations are the ones that need it the most. The process the researchers faced could have been a bit more transparent. When a researcher reports something, the organization’s contact person needs to know who to direct the information to in order to immediately get the ball rolling – otherwise it slows down the process. An automated ticketing process isn’t appropriate for vulnerability disclosure input.</p> <p> </p> <p>But as soon as these researchers did get direct contact, they were met with people who probably didn’t understand the problem but did fully realized the importance of fixing it immediately. These researchers have enormous respect for those at the UN who handled this matter. </p> <p> </p> <p>Also, Sakura Samurai made sure NOT to disclose anything until the problem was patched, in order to sustain and support the UN’s compliance with GDPR regulations. </p> <p> </p> <p>This is a good example of how vulnerability disclosure policies work, and the value of working closely with independent researchers, i.e., hackers.</p>
<p>Ethical Hacking group Sakura Samurai\’s exposure of the United Nations Environment Program\’s git repositories is another classic example of the consequences of an unintentional misconfiguration. Fortunately, the UN\’s IT team reacted quickly to close the hole, but it is likely that threat actors had already discovered the vulnerable data and acquired it themselves.</p> <p> </p> <p>This shows that even multinationals with mature cybersecurity practices are not immune to this kind of misconfiguration, and points out the need for regular configuration reviews along with a full security stack that includes security analytics to identify and remediate these vulnerabilities before threat actors can discover them.</p>