Red Cross in Berlin leaks passwords and private messages

A German Red Cross unit potentially targeted by cybercriminals has leaked passwords and private messages, some of which disclosed sensitive data about the location of office keys and the responsibilities of employees.

On February 23rd, 2024, the Cybernews research team discovered a leak on a website used by the Red Cross Berlin-North-East branch for internal operations. A misconfiguration of its systems enabled anyone on the internet to access the internal data, putting the Red Cross organization at risk.

The leaked data included:

  • Employee emails
  • Plain-text passwords
  • Internal messages
Leaked internal communications
Leaked internal communications

In certain instances, confidential internal communications exposed sensitive information, revealing details about access permissions, the location of keys, and areas requiring attention within Red Cross Berlin-North-East facilities. In the hands of a threat actor, such information could be used to cause actual physical damage to the organization.

Leaked credentials are also a huge cause of concern as they could be exploited by malicious actors for credential stuffing. This could involve attempts to breach not only other systems within Red Cross Berlin-North-East but also broader Red Cross Germany systems.

These systems may house sensitive information related to the individuals the organization aims to assist, as well as details about Red Cross employees, volunteers, and donors.

Site’s Environment variables
Site’s Environment variables

The researchers also found Indicators of Compromise associated with Androxgh0st and Legion malware launching automated attempts to steal credentials. Though there's no evidence that malicious actors have successfully breached Red Cross systems, the fact that the system configurations permitted access to anyone, especially considering the organization was targeted, is deeply troubling.

There has recently been a rise in attacks against non-profit organizations, such as hospitals and other civilian infrastructure, that have been long off-limits for cybercriminals.

Given its longstanding global presence spanning over a century, the Red Cross is a tempting target for attackers driven by political, extremist, or hateful motives. Financially motivated attackers may target the organization as a means to obtain donors' financial data, as many charities, including the Red Cross, are moving away from one-time cash donations and encouraging regular, smaller donations.

Login request revealing personnel’s credentials
Login request revealing personnel’s credentials

The Berlin-North-East branch is part of the larger Berlin Red Cross, consisting of eight district units. It has a substantial workforce, with over 100 full-time employees, more than 10,000 supporting members, and over 400 volunteers.

The branch provides a wide range of services, including educational support, operation of family and daycare centers, legal advice, first aid training, medical assistance at events, and aid for homeless individuals, among others.

Cybernews contacted the Red Cross, and the access has been secured. However, the data has been up for grabs since September 2022. An official comment is yet to be received.

Session information revealing personnel’s full names
Session information revealing personnel’s full names

What caused the leak

The leak was caused by an enabled and publicly accessible Symfony Profiler on the Red Cross website. Symfony Profiler is a debugging and performance optimization tool that developers use most often during the development and testing phases of Symfony applications.

Last 10,000 POST requests
Last 10,000 POST requests

The tool allows developers to inspect the details of each HTTP request, as the profiler collects a wide range of information during runtime, including database queries, executed code, HTTP headers, request, and response details, as well as information about the performance of various components of the application.

The information collected by a profiler might also include any information users submit to the website, uploaded files, filled-out forms as well as plaintext usernames and passwords.

The Cybernews research team advises that a Symphony Profiler should always be disabled on production environments to ensure security.

More from Cybernews:

Google shows off AI features, upgraded Gemini Pro at developer event

Xiaomi electric car breaks down after just 24 miles

Could Section 203 be used to regain control of our Facebook feeds?

Apple releases iOS 17.5: what’s new

AI hitting jobs like a tsunami, IMF chief warns

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked