Red Cross traces hack back to unpatched Zoho vulnerability

The Red Cross said the attack began on November 9 and involved an authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus.
Written by Jonathan Greig, Contributor

The International Committee of the Red Cross (ICRC) released more details about a hack they discovered last month, tying the incident back to an authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.

Tagged as CVE-2021-40539, the vulnerability was spotlighted by several companies last year, including Microsoft, Palo Alto Networks, and Rapid7. Both the US Cybersecurity and Infrastructure Security Agency (CISA) and the German Federal Office for the Protection of the Constitution (BfV) released warnings that APT groups were exploiting the issue. 

In a joint advisory from September, CISA, the FBI, and the US Coast Guard Cyber Command said APT actors had already used CVE-2021-40539 to target "academic institutions, defense contractors and critical infrastructure entities in multiple industry sectors -- including transportation, IT, manufacturing, communications, logistics, and finance."

In a statement on Wednesday, the ICRC admitted that it failed to apply the patch for CVE-2021-40539 before they were initially attacked on November 9, just one day after Microsoft warned that DEV-0322, a group operating out of China, was exploiting the vulnerability. 

"The attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat groups, are not available publicly, and therefore out of reach to other actors. The attackers used sophisticated obfuscation techniques to hide and protect their malicious programs. This requires a high level of skills only available to a limited number of actors," the ICRC said.

"We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address). The anti-malware tools we had installed on the targeted servers were active and did detect and block some of the files used by the attackers. But most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response (EDR) agents as part of our planned enhancement programme that this intrusion was detected."

The organization added that CVE-2021-40539 allows malicious hackers to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.  

Once the hackers were inside the ICRC systems, they used other offensive security tools to hide their identity and masquerade as legitimate users and administrators. The hackers spent 70 days inside the ICRC system before they were discovered in January.

The ICRC would not attribute the attack but did say they are still willing to communicate with the hackers. They are currently working with the National Cyber Security Center (NCSC) of Switzerland as well as national authorities in countries where the Red Cross and Red Crescent National Societies are operating. 

The hack leaked the names and contact information of 515,000 people that are part of the Restoring Family Links program, which works to reconnect missing people and children with their families after wars, violence, or other issues.

The personal information includes the names, locations, and more of missing people and their families, unaccompanied or separated children, detainees, and other people receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters, or migration. 

The login information for about 2,000 Red Cross and Red Crescent staff and volunteers was also been breached. 

The ICRC said it is still in the process of contacting all of the people involved in the hack, noting that the process "is complex and will take time."

"Those most at risk are our top priority. Some of this is being done through phone calls, hotlines, public announcements, letters, and in some cases it requires teams to travel to remote communities to inform people in-person. We are making every effort to contact people who can be difficult to reach, such as migrants," ICRC said, providing a list of contact details and an FAQ for those who may be affected.  

"We also have developed workaround solutions enabling Red Cross and Red Crescent teams worldwide to continue providing basic tracing services for the people impacted by this breach while we rebuild a new digital environment for the Central Tracing Agency."

The US State Department spotlighted the attack in a statement earlier this month, calling on other countries to raise alarms about the incident.  

The ICRC expressed concern that the stolen data would be "used by States, non-state groups, or individuals to contact or find people to cause harm." The ICRC also said the attack would affect their ability to work with vulnerable populations who may no longer trust them with sensitive information. 

"This attack is an extreme violation of their privacy, safety, and right to receive humanitarian protection and assistance," the organization said. 

"We need a safe and trusted digital humanitarian space in which our operational information, and most importantly the data collected from the people we serve, is secure. This attack has violated that safe digital humanitarian space in every way."

Editorial standards