A hacker has found a way to upload PDF files to the websites of several organizations, including the World Health Organization (WHO) and UNESCO.
The attack, first reported by Cyberwarzone.com, does not appear particularly sophisticated and its impact is likely low, but the same vulnerabilities could have been exploited by more advanced threat actors for more serious attacks.
The files were uploaded by a hacker who uses the online moniker m1gh7yh4ck3r. A search for “m1gh7yh4ck3r” on Google shows that in recent days they uploaded files to official websites of UNESCO, WHO, the Georgia Institute of Technology, and a Cuban government website.
Georgia Tech and the WHO have apparently removed the files uploaded by the hacker, but the files are still present on the UNESCO and the Cuban government websites at the time of writing.
Reached by SecurityWeek, UNESCO representatives said they will launch an investigation. The WHO and Georgia Tech did not immediately respond to our inquiry.
The PDF files uploaded by the hacker are related to online game hacks and hacking Facebook and Instagram accounts. The documents contain links that point to various hacking services and tools. These services and tools appear to be fake and they lead users to various types of scammy websites.
One of the antivirus engines on VirusTotal detects some of the PDF files as containing a trojan, and one file is detected as “suspicious.”
It’s unclear how the hacker managed to upload the files, but it was likely an unsophisticated method considering that the documents were uploaded to domains that appear to be designed to allow users to upload files. They may have exploited known or unknown file upload or authentication bypass vulnerabilities — in the case of the UNESCO website the login page is easy to access.
While in this case the attack likely had a low impact, the ability to upload arbitrary files to the websites of organizations such as the WHO and UNESCO can be highly useful to sophisticated state-sponsored actors.
There have been many malicious campaigns since the start of the pandemic where financially-motivated cybercriminals and state-sponsored groups sent malicious emails impersonating the WHO. Exploiting a vulnerability such as the one leveraged by m1gh7yh4ck3r could have been highly useful to them.
UPDATE: Georgia Tech told SecurityWeek that it has addressed the root cause of the issue, which is related to a form on an old website that uses the Drupal CMS and its corresponding Webform module, which by default allows users to upload files to a publicly accessible folder.
“The uploads that happened to the chhs server [the impacted GA Tech server] are an example of an attack on misconfigured websites that has seen an uptick in popularity in the past few months. This kind of website spam attack is somewhat unusual, as it doesn’t depend on weak credentials, nor upon outdated software. It depends, instead, on the specific configurations of CMSs and their form-related plug-ins/modules (OWASP top 10 category “Security Misconfiguration”). For this reason, this kind of issue is not easily scanned for with most existing commercial vulnerability scanners. We have attempted to address the problem though education and monitoring,” explained a Georgia Tech spokesperson.
The attack appears to be part of a larger campaign that started this summer, targeting government and university websites. Bleeping Computer saw several major organizations being targeted in August, in many cases through the Webform module in Drupal.
It’s worth pointing out that UNESCO also seems to use Drupal and Webform, which is likely how the attacker managed to upload the files.
UPDATE 2: UNESCO confirmed for SecurityWeek that the hacker abused the same Webforms method to upload the files.
“As you can imagine, due to its visibility, UNESCO is a target of many such attacks, from denial of service to fraudulent upload. We have protocols for security response but due to the size of such attacks, a delay is sometimes necessary to revert to normal, and we focus on those attacks that target the security of the system,” a UNESCO spokesperson said.
Related: Google Says Iran-Linked Hackers Targeted WHO
Related: WordPress ‘File Manager’ Plugin Patches Critical Zero-Day Exploited in Attacks
