A German Red Cross unit potentially targeted by cybercriminals has leaked passwords and private messages, some of which disclosed sensitive data about the location of office keys and the responsibilities of employees.
On February 23rd, 2024, the Cybernews research team discovered a leak on a website used by the Red Cross Berlin-North-East branch for internal operations. A misconfiguration of its systems enabled anyone on the internet to access the internal data, putting the Red Cross organization at risk.
The leaked data included:
- Employee emails
- Plain-text passwords
- Internal messages
In certain instances, confidential internal communications exposed sensitive information, revealing details about access permissions, the location of keys, and areas requiring attention within Red Cross Berlin-North-East facilities. In the hands of a threat actor, such information could be used to cause actual physical damage to the organization.
Leaked credentials are also a huge cause of concern as they could be exploited by malicious actors for credential stuffing. This could involve attempts to breach not only other systems within Red Cross Berlin-North-East but also broader Red Cross Germany systems.
These systems may house sensitive information related to the individuals the organization aims to assist, as well as details about Red Cross employees, volunteers, and donors.
The researchers also found Indicators of Compromise associated with Androxgh0st and Legion malware launching automated attempts to steal credentials. Though there's no evidence that malicious actors have successfully breached Red Cross systems, the fact that the system configurations permitted access to anyone, especially considering the organization was targeted, is deeply troubling.
There has recently been a rise in attacks against non-profit organizations, such as hospitals and other civilian infrastructure, that have been long off-limits for cybercriminals.
Given its longstanding global presence spanning over a century, the Red Cross is a tempting target for attackers driven by political, extremist, or hateful motives. Financially motivated attackers may target the organization as a means to obtain donors' financial data, as many charities, including the Red Cross, are moving away from one-time cash donations and encouraging regular, smaller donations.
The Berlin-North-East branch is part of the larger Berlin Red Cross, consisting of eight district units. It has a substantial workforce, with over 100 full-time employees, more than 10,000 supporting members, and over 400 volunteers.
The branch provides a wide range of services, including educational support, operation of family and daycare centers, legal advice, first aid training, medical assistance at events, and aid for homeless individuals, among others.
Cybernews contacted the Red Cross, and the access has been secured. However, the data has been up for grabs since September 2022. An official comment is yet to be received.
What caused the leak
The leak was caused by an enabled and publicly accessible Symfony Profiler on the Red Cross website. Symfony Profiler is a debugging and performance optimization tool that developers use most often during the development and testing phases of Symfony applications.
The tool allows developers to inspect the details of each HTTP request, as the profiler collects a wide range of information during runtime, including database queries, executed code, HTTP headers, request, and response details, as well as information about the performance of various components of the application.
The information collected by a profiler might also include any information users submit to the website, uploaded files, filled-out forms as well as plaintext usernames and passwords.
The Cybernews research team advises that a Symphony Profiler should always be disabled on production environments to ensure security.
Your email address will not be published. Required fields are markedmarked