State Hackers Breach Red Cross Networks with Zoho Bug, ICRC Says

The International Committee of the Red Cross (ICRC) said yesterday it believes that last month’s attack against its network was launched by a state-backed hacking organization.

The attackers stole the personal data of more than 500,000 people enrolled in the “Restoring Family Links” initiative that helps bring together families broken up by war, migration or disasters. Stolen data included names, locations and contact information.

Threat actors leveraged an unpatched high-severity Zoho Manage Engine AD Self Service Plus vulnerability tracked as CVE-2021-40539, which allowed them to bypass REST API authentication and remotely execute arbitrary code.

During the investigation, Red Cross discovered that the attackers maintained access to the impacted servers for 70 days after the initial breach on Nov. 9, 2021.

Once they compromised the Red Cross network, the attackers used various tools and techniques to disguise themselves as local users or administrators to access encrypted data.

The threat actors reportedly deployed custom hacking tools and offensive-security-specific tactics to breach the servers, and they avoided detection through obfuscation techniques, a combination mainly used by advanced persistent threat (APT) groups.

“The anti-malware tools we had installed on the targeted servers were active and did detect and block some of the files used by the attackers,” according to ICRC’s announcement. “But most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response (EDR) agents as part of our planned enhancement programme that this intrusion was detected.”

The perpetrators also used "code designed purely for execution on the targeted ICRC servers," and used the targeted servers’ MAC addresses. This led the Red Cross to believe the attack was, in fact, targeted.

Although the Red Cross didn’t attribute the attack to any specific threat actor, they urged perpetrators to refrain from leaking, sharing or selling harvested data, as doing so could “potentially cause yet more harm and pain to those who have already endured untold suffering.”