Security News > 2020 > September > Hacker Uploads Documents to WHO, UNESCO Websites
A hacker has found a way to upload PDF files to the websites of several organizations, including the World Health Organization and UNESCO. The attack, first reported by Cyberwarzone.com, does not appear particularly sophisticated and its impact is likely low, but the same vulnerabilities could have been exploited by more advanced threat actors for more serious attacks.
Georgia Tech and the WHO have apparently removed the files uploaded by the hacker, but the files are still present on the UNESCO and the Cuban government websites at the time of writing.
It's unclear how the hacker managed to upload the files, but it was likely an unsophisticated method considering that the documents were uploaded to domains that appear to be designed to allow users to upload files.
UPDATE 2: UNESCO confirmed for SecurityWeek that the hacker abused the same Webforms method to upload the files.
"As you can imagine, due to its visibility, UNESCO is a target of many such attacks, from denial of service to fraudulent upload. We have protocols for security response but due to the size of such attacks, a delay is sometimes necessary to revert to normal, and we focus on those attacks that target the security of the system," a UNESCO spokesperson said.