Incident Response, Supply chain, Patch/Configuration Management

Red Cross reveals actors exploited unpatched Zoho security flaw in January breach

The Red Cross said hackers gained access to its network via an unpatched Zoho vulnerability. Pictured: Members of the Italian Red Cross work at a refugee center for displaced persons from Afghanistan on Aug. 31, 2021 ,in Settimo Torinese, near Turin, Italy. (Photo by Stefano S. Guidi/Getty Images)

The Red Cross released new insights into the cyberattack that led to the compromise of data tied to more than 515,000 people last month. The report shows the hackers gained access to its network through an unpatched vulnerability in the Zoho ManageEngine ADSelfService, CVE-2021-40539.

The report shows the Red Cross was unable to apply the patch in time before the attack.

“The hackers were able to enter our network and access our systems by exploiting an unpatched critical vulnerability in an authentication module,” according to the update. The flaw enables hackers to install webshells and conduct a range of nefarious activities, including credential theft, lateral movement, and exfiltrating registry and Active Directory files.

After gaining network access, the attackers deployed offensive security tools to obfuscate their activities as legitimate users of administrators. In doing so, the hackers were able to access the Red Cross data, “despite this data being encrypted.”

As first disclosed on Jan. 19, the highly targeted, sophisticated incident hit an external contractor of the Red Cross and put the data of some of the most vulnerable individuals at risk, including those escaping conflict, natural disasters or migration.

At the time, the Red Cross could not confirm whether the data was stolen, but that it seemed “likely,” given that the attackers had “been inside the system and had access to their data.” According to the update, the group is operating under the assumption that the attackers copied and exported the data as they had the capacity to do so while on the network.

The Red Cross team has been monitoring the situation, and so far, there’s no conclusive information that the data has or will be published or traded. Officials said they’re confident in their initial analysis that the attackers did not delete any data during the attack.

The status update reveals the attackers used “considerable resources” to access the humanitarian group’s systems, using tactics that would have evaded traditional detection tools. Specifically, the hackers leveraged a specific set of tools meant for offensive security, most commonly used by advanced persistent threat groups and aren’t made publicly available.

They used “sophisticated obfuscation techniques to hide and protect their malicious programs,” which would require a high level of skills used by a small number of threat actors.

The Red Cross determined the attack was indeed targeted as the hackers “created a piece of code designed purely for execution on the targeted ICRC servers.” The tools explicitly referenced a unique identifier tied to the MAC address on the targeted servers.

The impacted servers had anti-malware tools installed prior to the hack that were able to detect and block some of the files used by the hackers. However, the attackers especially crafted the majority of the malicious files successfully deployed on these servers, which were able to bypass these anti-malware tools.

The Red Cross was finally able to detect the attack after it installed advanced endpoint detection and response (EDR) agents as part of a security enhancement program. The group has been working with an outside cybersecurity company to support the process of securing its systems and the data in its possession.

Those efforts, including a “deep data dive”, led to the discovery of the hack and compromised data. The latest insights show the hackers first gained access to the system 70 days before it was detected, beginning on Nov. 9, 2021.

The Red Cross also determined that its previously implemented vulnerability management processes and tools were ineffective in stopping the attack. In response, the group is ramping up previously scheduled cybersecurity enhancement efforts to better respond to the evolving threat landscape.

The group has not had any contact with the attackers, nor do they intend to speculate who launched the attack or why, “in line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work.” The Red Cross is urging the attackers to not share, sell, leak or use the data.

The Red Cross is continuing to work with the National Cyber Security Center (NCSC) of Switzerland and relevant authorities, as it continues to set up interim systems and other recovery efforts. The group is also working to enhance its security with new two-factor authentication and an advanced threat detection tool.

Prior to resuming services, the Red Cross will be performing externally conducted pen tests on all applications and systems.

Security researchers have warned the Red Cross attack could happen to anyone, which means leaders should use this time to conduct and enhance third-party risk management processes.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.