Hacking

Nation-state actors hacked Red Cross exploiting a Zoho bug

The International Committee of the Red Cross (ICRC) said attackers that breached its network last month exploited a Zoho bug.

The International Committee of the Red Cross (ICRC) revealed that the attack that breached its network in January was conducted by a nation-state actor that exploited a Zoho vulnerability.

In January, a cyberattack on a Red Cross contactor resulted in the theft of personal data for more than 515,000 highly vulnerable people seeking missing families. The attack was disclosed by the ICRC, which confirmed that the data originated from at least 60 different Red Cross and Red Crescent National Societies worldwide.

Stolen data includes information belonging to individuals separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.

The contractor targeted by the attackers is an external company in Switzerland that stores data for the organization. ICRC shut down the systems and website for the Restoring Family Links program that was hit by the attackers.

The attribution of the hack is based on similarities of attackers’ TTPs with the ones associated with APT groups and the targeted nature of the attack.

The Red Cross pointed out that attackers used a “code designed purely for execution on the targeted ICRC servers.” Threat actors also used sophisticated obfuscation techniques to avoid detection. ICRC update speculates that attackers have a high level of skills only available to a limited number of actors.

However, the organization did not attribute the attack to a specific threat actor.

“We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address).” reads the update published by Red Cross. “The anti-malware tools we had installed on the targeted servers were active and did detect and block some of the files used by the attackers. But most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response (EDR) agents as part of our planned enhancement programme that this intrusion was detected.”

The attackers remained inside the Red Cross’s infrastructure for 70 days before being detected, attackers first compromised the servers of the organization on November 9, 2021.

The intruders exploited an unpatched critical vulnerability (CVE-2021-40539) in Zoho’s ManageEngine ADSelfService Plus enterprise password management solution to achieve remote code execution.

“This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.” reported the ICRC. “Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted.”

Red Cross reiterates its call to the attackers not to share, sell, leak or otherwise use this data.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SIM swapping)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

DORA Compliance Strategy for Business Leaders

In January 2025, European financial and insurance institutions, their business partners and providers, must comply…

1 hour ago

CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android Pixel, Microsoft Windows, Progress Telerik Report…

9 hours ago

City of Cleveland still working to fully restore systems impacted by a cyber attack

Early this week, the City of Cleveland suffered a cyber attack that impacted multiple services.…

14 hours ago

Two Ukrainians accused of spreading Russian propaganda and hack soldiers’ phones

Ukraine’s security service (SBU) detained two individuals accused of supporting Russian intelligence in spreading propaganda…

14 hours ago

Google fixed an actively exploited zero-day in the Pixel Firmware

Google is warning of a security vulnerability impacting its Pixel Firmware that has been actively…

1 day ago

Multiple flaws in Fortinet FortiOS fixed

Fortinet released security updates to address multiple vulnerabilities in FortiOS, including a high-severity code execution…

1 day ago

This website uses cookies.