A data breach has been discovered in the United Nations which exposed over 100k of UNEP’s staff records. Researchers with Sakura Samurai, an ethical hacking and research group, discovered the records were accessible through the UN’s Vulnerability Disclosure Program. The data accessible included administrator database credentials, employee ID’s, name’s, travel justifications, start and end dates, as well as their HR demographic data.
<p>Usually when you talk about hacking, you talk about vulnerabilities, which are flaws in software, and we talk about configurations or the human element. In this case, the flaws we see are all related to users configuring those servers leaving files exposed and software misconfigured. Those are flaws in usage, not flaws in software. It is in parts further concerning as those systems were internet exposed, and in turn, held credentials for other systems. With access to some of the indicated information and the simplicity of the breach, attackers may well have access to this information. It is one of the basic controls any experienced analyst performs against a system they are auditing, yet it is still surprisingly often a rewarding path to take provided the attack surface is sufficiently large, such as a full organization.</p>
<p>It\’s easy for organisations, especially global ones, to have data spread out across various systems and platforms. Keeping track of all these disparate systems can be challenging enough, and ensuring the right security settings are applied and that credentials are appropriately managed is key. </p> <p> </p> <p>While many technologies and processes exist to help secure organisations to prevent these kinds of issues, it is essential that organisations cultivate a culture of security so that everyone is aware of the role they have to play in securing the organisation as it\’s not something a security department can do on their own.</p>
<p>Software is the critical infrastructure that supports organisations of all types. Cybersecurity is important for every organisation, whether they know it or not. </p> <p lang=\"en-US\"> </p> <p lang=\"en-US\">The recent vulnerability found in the United Nations technology infrastructure shows just how easy it is to accidentally expose a large volume of sensitive data. Like any other organisation, the UN needs a top-down approach to cybersecurity, with defined policies for protecting assets and established processes for publishing software. </p> <p lang=\"en-US\"> </p> <p lang=\"en-US\">In this case, the United Nations’ Vulnerability Disclosure Program worked exactly as it should; security researchers located a dangerous vulnerability and the United Nations was able to fix it to prevent any further exploitation. This is a good outcome, but a better path forward would be a proactive approach, in which processes would be put in place to prevent such a vulnerability from ever being exposed in the first place. </p> <p lang=\"en-US\"> </p> <p lang=\"en-US\">A proactive, positive approach to cybersecurity is the best way for organisations to reduce risk and protect their assets.</p>
<p>As it appears likely that bad actors have likely accessed the UN data, UN staff will need to be aware that the bad guys will likely use the information gained in the breach to attempt to use a bit of social engineering to obtain more information or to launch attacks on UN servers. Bad actors may send emails or text messages leveraging the information they have, in order to appear to be legitimate communications from other employees or supervisors.”</p>
<p>Exposing credentials in public Github repositories is a common developer oversight, and cybercriminals routinely scan Github for exposed credentials to steal. Last year, our research team set up a <a href=\"https://www.comparitech.com/blog/information-security/github-honeypot/\" data-saferedirecturl=\"https://www.google.com/url?q=https://www.comparitech.com/blog/information-security/github-honeypot/&source=gmail&ust=1610532318327000&usg=AFQjCNEG-IIBWuuoOCUiNfAF5U-0M2abUg\"> honeypot Github repos</a> containing access credentials to some dummy AWS servers. It took hackers just one minute to find the credentials and break into our honeypot servers. So it\’s very likely that cybercriminals accessed the UNEP data before researchers. Developers need to scan their code for credentials before committing it to Github. For additional security, they can avoid creating an access key for the root user, use temporary security credentials instead of long-term access keys, properly configure IAM users, rotate keys periodically, and remove unused keys.</p> <p> </p> <p>UN staff should be on the lookout for targteted phishing and scam messages from fraudsters posing as UNEP employees or administrators. Always verify the sender of an email or other message before responding. Never click on links or attachments in unsolicited emails and messages.</p>