Red Cross Attackers Exploited Zoho Bug Used by China

Written by

A major data breach at the International Committee of the Red Cross (ICRC) in January began with the exploitation of a Zoho vulnerability previously used by Chinese state-backed hackers in attacks.

The ICRC released more details of the attack yesterday in the interests of transparency and responsibility to its stakeholders.

It claimed that the breach was highly targeted and sophisticated, beginning with the exploitation of CVE-2021-40539 in password management system Zoho ManageEngine ADSelfService Plus.

“This vulnerability allows malicious cyber-actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement and exfiltrating registry hives and Active Directory files,” the ICRC explained.

“Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted.”

Other indications of a highly targeted APT attack included the use of “a very specific set of advanced hacking tools,” “sophisticated obfuscation techniques” to hide malicious activity and malicious files specially crafted to bypass the organization’s anti-malware defenses.

“We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers,” the non-profit continued. “The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address).”

It was only when the Red Cross installed endpoint detection and response (EDR) agents that it detected the intrusion. It’s believed the breach occurred on November 9 2021, with the attackers present inside the ICRC network for around 70 days.

That tallies with a report from Microsoft of Chinese state actors exploiting the same vulnerability to target organizations in various sectors. However, the ICRC has yet to formally attribute the attack.

Data was stolen on 515,000 “highly vulnerable” people worldwide, including names, locations and contact information. The Restoring Family Links service, which reunites separated families, was impacted.

What’s hot on Infosecurity Magazine?