Hacking the Red Cross could be carried out by government hackers

Last month, a Red Cross contractor was hacked, leaking the personal information of 515,000 people. According to the organization, government hackers who exploited a vulnerability in Zoho products may have been behind the attack.

As we wrote earlier, the leak affected the data of people who were part of the Restoring Family Ties program. This program helps reunite families torn apart by war, natural disasters, migration, and so on. The stolen information was collected by at least 60 different branches of the Red Cross and Red Crescent around the world.

When the attack became known, representatives of the Red Cross asked the hackers “not to share, sell, disclose or use this data in any other way.”

Now the International Committee of the Red Cross (ICRC) has submitted a more detailed report on the incident. It turned out that the attack took place back in November 2021, and the attackers were present on the organization’s network for several months (until it was discovered on January 18, 2022).

The Red Cross said the hackers used an exploit for the CVE-2021-40539 vulnerability to penetrate the network. This bug affects Zoho ManageEngine ADSelfService Plus, a password management and SSO solution from the Indian company Zoho. The vulnerability allows attackers to bypass authentication, host web shells on the target’s servers, and then traverse the network and compromise administrator credentials.

While it was initially unclear who was behind the attack, the Red Cross now says that the “advanced hacking tools” used for the hack are typically used by APT groups and are not available to ordinary hackers. This abbreviation stands for “advanced persistent threat” and is usually used to refer to hacker groups sponsored by the authorities and following their orders.

We consider this attack to be targeted, as the attackers created code designed exclusively to be executed on the ICRC’s servers. The tools used by the attackers explicitly referred to a unique identifier on the target servers (MAC address). The anti-malware tools we installed on the target servers were active and did indeed detect and block some of the files used by the attackers. But most of the malware deployed was specifically designed to bypass our security solutions, and the attack was only discovered when we installed advanced EDR agents as part of a planned enhancement program.the organization's report says.
Interestingly, Palo Alto Networks experts have previously associated the Chinese hack group APT27 with the exploitation of the CVE-2021-40539 vulnerability. In addition, shortly after the attack on the Red Cross, the German authorities issued a warning to local companies and government agencies, also warning about APT27 attacks and the exploitation of the same vulnerability in Zoho.

Let me remind you that we also wrote that 38 Million User Records Leaked Due to Misconfiguration of Microsoft Power Apps.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button