The International Committee of the Red Cross (ICRC) said today that the hack disclosed last month against its servers was a targeted attack likely coordinated by a state-backed hacking group. During the incident, the attackers gained access to the personal information (names, locations, and contact information) of over 515,000 people in the “Restoring Family Links” program that helps reunite families separated by war, disaster, and migration. To breach the Red Cross servers, the threat actors used tactics and custom hacking tools “designed for offensive security” and obfuscation techniques to evade detection, usually linked to advanced persistent threat (APT) groups. The Red Cross also noted the targeted nature of the attack made evident by the attackers’ use of “code designed purely for execution on the targeted ICRC servers” and using the targeted servers’ MAC address. Additionally, “most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response (EDR) agents as part of our planned enhancement program that this intrusion was detected.” The Red Cross discovered during the investigation that the intruders were able to maintain access to its servers for 70 days after the initial breach that took place on November 9, 2021. To breach the network, the attackers exploited an unpatched critical vulnerability (CVE-2021-40539) in Zoho’s ManageEngine ADSelfService Plus enterprise password management solution, which allowed them to remotely execute code without authentication. “This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” the ICRC added. “Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This, in turn, allowed them to access the data, despite this data being encrypted.” The Red Cross did not attribute the attack to a specific threat actor and urged the hackers not to share, leak, or sell the extremely sensitive data accessed during the incident. While the attack still awaits attribution, there’s at least one state-backed hacking group known to have exploited the CVE-2021-40539 flaw in attacks. Palo Alto Networks researchers linked a hacking campaign exploiting this Zoho bug to the Chinese-sponsored group known as APT27, later observed by the BfV German domestic intelligence services targeting German commercial organizations since March 2021 using the same bug. The FBI and CISA also issued joint advisories last year to warn of APT groups exploiting ManageEngine flaws to drop web shells on the networks of breached critical infrastructure organizations.
All users of the Restoring Family Links program are advised to be extremely wary of increased phishing attempts. The style of information that was stolen is very commonly used and/or sold by attackers. Zoho has released Zoho ManageEngine ADSelfService Plus build 6114, which patches the CVE-2021-40539 vulnerability. Organizations utilizing this solution should install the necessary patch as soon as possible to mitigate this vulnerability.