Red Cross Attack Attributes to Unpatched Zoho Vulnerability
The Red Cross committee has revealed that the attack that breached its network in January was conducted by a nation-state actor that exploited a Zoho vulnerability.
An attack on a Red Cross contactor broken out during last month resulted in the theft of personal data for more than 515,000 highly vulnerable people seeking missing families. The attack was disclosed by the ICRC, which confirmed that the data originated from at least 60 different Red Cross and Red Crescent National Societies worldwide that has information belonging to individuals separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.
The contractor targeted by the attackers is an external company in Switzerland that stores data for the organization. ICRC shut down the systems and website for the Restoring Family Links program that was hit by the attackers.
The attribution of the hack is based on similarities of attackers’ TTPs with the ones associated with APT groups and the targeted nature of the attack. Threat actors used sophisticated obfuscation techniques to avoid detection. ICRC update speculates that attackers have a high level of skills only available to a limited number of actors.
But the organization did not attribute the attack to a specific threat actor. The attackers remained inside the Red Cross’s infrastructure for 70 days before being detected, attackers first compromised the servers of the organization on November 9, 2021.
The intruders exploited an unpatched critical vulnerability (CVE-2021-40539) in Zoho’s ManageEngine ADSelfService Plus enterprise password management solution to achieve remote code execution.
Red Cross reiterates to the attackers not to sell or leak the data that belongs to the public