Application Security , Breach Notification , Business Continuity Management / Disaster Recovery

Unpatched Zoho Bug Exploited in Red Cross Attack

Attackers Used Customized Code to Target Servers Says ICRC
Unpatched Zoho Bug Exploited in Red Cross Attack
The attacker explicitly referred to a unique identifier on ICRC servers. (Photo: Shutterstock)

The January attack on the International Committee of the Red Cross, which compromised data of more than 515,000 highly vulnerable people, was specifically targeted at the organization, according to its director general, Robert Mardini.

See Also: The State of Organizations' Security Posture as of Q1 2018

"We know that the attack was targeted because the attackers created code designed solely for execution on the concerned ICRC servers - a technique we believe was designed to shield the hackers' activities from detection and subsequent forensic investigations," he says.

The infiltration was not detected by the company's systems and is thus a "sophisticated attack," Mardini says, deeming it a "criminal act" as the breach involved exposure of sensitive humanitarian data.

Exploited Vulnerability

The ICRC's report on the technical details of the attack shows how the hackers entered the ICRC systems.

"The hackers were able to enter our network and access our systems by exploiting an unpatched critical vulnerability in an authentication module (CVE-2021-40539)," the note says.

CVE-2021-40539 is a bug found in Zoho's ManageEngine ADSelfService Plus, a self-service password management and single sign-on tool. The vulnerability is critically rated and has a CVSS score of 9.8.

In September 2021, the U.S. Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the U.S. Coast Guard Cyber Command issued a joint alert on this vulnerability. Advanced persistent threat and nation state-actors were actively exploiting the vulnerability, the alert said at the time. (See: US Warns Nation-State Groups May Exploit Flaw in Zoho Tool).

The ICRC's update concurs with this alert. The organization says: "The attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat groups, are not available publicly, and therefore out of reach to other actors."

CVE-2021-40539, the ICRC says, allows malicious cyber actors to place web shells and conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement and exfiltrating registry hives and Active Directory files. "Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted," the ICRC says.

Other Technical Details

'Targeted Attack'

Expanding on Mardini's statement about the cyberattack being a specifically targeted attack on ICRC servers and not an attack on the third-party contractor of the ICRC, the update says: "We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers - its MAC address."

Undetected by Anti-Malware Tools

The ICRC says its anti-malware tools, installed on the targeted servers, were active at the time of the attack and that some malicious files were detected and blocked by these tools.

"Most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response - or EDR - agents as part of our planned enhancement program that this intrusion was detected," the ICRC says.

The threat actors also used sophisticated obfuscation techniques to hide and protect their malicious operations. "This requires a high level of skills only available to a limited number of actors," the ICRC states, raising speculation that the attack was carried out by an APT or a state-backed attacker.

The ICRC statement does note, however, that: “We are confident that this incident did not affect other servers because we segment our systems and we are continually monitoring the overall environment for any signs of malicious activity with advanced tools.”

Why Did the System Remain Vulnerable?

On Sept. 6, Zoho released ADSelfService Plus build 6114, which contains a fix for CVE-2021-40539. But the ICRC says that it unfortunately did not perform a timely application of the patch, as there are "tens of thousands of patches" that need to be implemented across its systems.

There are unverified claims that ICRC data is available on the darkweb.

There are actors on underground forums that seem to claim possession of the ICRC data set, however, ICRC says, “Right now, we do not have any conclusive evidence that this information from the data breach has been published or is being traded. Our cybersecurity team has looked into any reported allegation of data being available on the dark web.”

Raising the Defense

The ICRC has been transparent about the cyberattack and the subsequent investigation. It has also provided information about the defense mechanisms to avoid future incidents.

It says it has implemented a multilevel cyber defense system that includes endpoint monitoring, software scanning and other unnamed tools. It also notes that in this particular instance, its vulnerability management processes and tools could not effectively stop the breach. To remedy this, the organization says it has a cybersecurity enhancement program.

On Feb. 3, Mardini said six new directors will be appointed to the ICRC's executive team. They include Valérie Abrell Duong, who will be the director of support and digital transformation. Abrell Duong is a global IT and digital executive who is currently an independent business advisor to startups in healthcare response, cybersecurity and ecommerce, based in Paris.

Her areas of expertise imply that she could play a pivotal role in further raising the ICRC's cybersecurity standards.

All the appointed directors will formally take up their functions on July 1, 2022, for a period of four years, the ICRC says.

U.S. Condemns Attack

U.S. Department of State spokesperson Ned Price, in the first week of February, issued a public statement condemning the cyberattack targeted at the ICRC.

He said, "The information [the ICRC] acquires and uses is critical to fulfilling its functions to provide medical services and humanitarian protection and assistance - functions that all states have pledged to support in instruments such as the Geneva Conventions."

"Targeting the Red Cross and Red Crescent Movement's sensitive and confidential data is a dangerous development. It has real consequences: this cyber incident has harmed the global humanitarian network's ability to locate missing people and reconnect families. This is why it is so vital that humanitarian data be respected and only used for intended purposes," Price said.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.