Nation-state actors hacked Red Cross exploiting a Zoho bug

The International Committee of the Red Cross (ICRC) said attackers that breached its network last month exploited a Zoho bug.

The International Committee of the Red Cross (ICRC) revealed that the attack that breached its network in January was conducted by a nation-state actor that exploited a Zoho vulnerability.

In January, a cyberattack on a Red Cross contactor resulted in the theft of personal data for more than 515,000 highly vulnerable people seeking missing families. The attack was disclosed by the ICRC, which confirmed that the data originated from at least 60 different Red Cross and Red Crescent National Societies worldwide.

Stolen data includes information belonging to individuals separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.

The contractor targeted by the attackers is an external company in Switzerland that stores data for the organization. ICRC shut down the systems and website for the Restoring Family Links program that was hit by the attackers.

The attribution of the hack is based on similarities of attackers’ TTPs with the ones associated with APT groups and the targeted nature of the attack.

The Red Cross pointed out that attackers used a “code designed purely for execution on the targeted ICRC servers.” Threat actors also used sophisticated obfuscation techniques to avoid detection. ICRC update speculates that attackers have a high level of skills only available to a limited number of actors.

However, the organization did not attribute the attack to a specific threat actor.

“We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address).” reads the update published by Red Cross. “The anti-malware tools we had installed on the targeted servers were active and did detect and block some of the files used by the attackers. But most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response (EDR) agents as part of our planned enhancement programme that this intrusion was detected.”

The attackers remained inside the Red Cross’s infrastructure for 70 days before being detected, attackers first compromised the servers of the organization on November 9, 2021.

The intruders exploited an unpatched critical vulnerability (CVE-2021-40539) in Zoho’s ManageEngine ADSelfService Plus enterprise password management solution to achieve remote code execution.

“This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.” reported the ICRC. “Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted.”

Red Cross reiterates its call to the attackers not to share, sell, leak or otherwise use this data.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SIM swapping)

[adrotate banner=”5″]

[adrotate banner=”13″]