Cyber attack on Red Cross via Zoho vulnerability, likely by state sponsored attackers

Sicherheit (Pexels, allgemeine Nutzung)[German]In January 2022, the International Committee of the Red Cross (ICRC) announced a cyberattack on its IT system. The attack stole confidential information on more than 515,000 vulnerable people. Now the ICRC has released more details of its internal investigation. The attack was carried out via an (unpatched) Zoho vulnerability, using specially designed attack methods. This suggests that the attack was carried out by state actors to obtain confidential information on vulnerable individuals. The attackers were able to move around the system undetected for 70 days. The case is one of the rare occasions where more details about the attack came to my attention, so I'm reposting that here for review.


Advertising

Review of the cyber attack

I had reported on January 20, 2022 on the cyberattack in the blog post Cyberattack on Red Cross, data of 515,000 vulnerable people compromised. The attack siphoned off personal data and confidential information on more than 515,000 vulnerable people. This includes people separated from their families due to conflict, migration and disasters, missing persons and their families, and people in detention. The data came from at least 60 Red Cross and Red Crescent national societies around the world. The Red Cross had self-published the incident on this page.

Red Cross Hack

The cyberattack on the International Red Cross was targeted, that much was already clear a week after the incident. I pointed this out in the above blog post.

New details about the attack

I had already noted yesterday that there were now more details about the attack. The ICRC has posted more details in an update on this page dated February 16, 2022. First up is the realization that the attackers likely used significant resources to attack the IT systems. Tactics were used that would not have been detected by most detection programs. Here are the ICRC's statements on the attack:

  • The attackers used advanced hacking tools designed for offensive security measures. These tools are primarily used by Advanced Persistent Threat groups. The tools are not publicly available and therefore inaccessible to other attackers.
  • The attackers used sophisticated obfuscation techniques to hide and protect their malware. This requires a high level of skill available only to a limited number of actors.
  • ICRC forensic experts also determined that this was a targeted attack. The background is that the attackers created code for the attack that was intended to run exclusively on ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the target servers (the MAC address).
  • The anti-malware tools deployed by ICRC IT on the target servers were able to detect and block some of the files used by the attackers. However, most of the malicious files used were specifically designed to bypass these anti-malware solutions. It wasn't until IT installed advanced endpoint detection and response (EDR) agents as part of planned security improvements that this intrusion was discovered.

So it wasn't discovered until a company specializing in cybersecurity was hired by the ICRC to help to protect its systems. After installing EDR agents, an anomaly was discovered on the ICRC servers that contained information about the Restoring Family Links service of the worldwide Red Cross and Red Crescent movement. Then, on January 18, specialists discovered that hackers had penetrated these systems and gained access to the data.


Advertising

After a deeper analysis, the IT forensic specialists concluded that the hackers had had access to the systems for 70 days. The analysis shows that the security breach occurred with the hackers' intrusion on November 9, 2021. According to the ICRC's own statement, these 70 days are quite short, as the median time to identify an advanced attack is 212 days.  

Vulnerability CVE-2021-40539 exploited

Analysis of the attack revealed that the hackers were able to penetrate the ICRC network via an unpatched critical vulnerability (CVE-2021-40539). CVE-2021-40539 is about a vulnerability in Zoho ManageEngine ADSelfService Plus version 6113 and earlier variants. These versions are vulnerable to a REST API authentication bypass and allow for resulting remote code execution.

Zoho Corporation is an Indian multinational technology company that makes web-based business tools. It is known for its online Office suite, but also has Zoho ManageEngine ADSelfService. That software arguably stands out more often for serious RCE vulnerabilities. By the time CISA issued the warning APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus as of Dec. 2, 2021, pointing out more critical Zoho vulnerabilities, it was already far too late for the Red Cross, according to the following analysis. 

The CVE entry is dated September 6, 2021, with the disclosure of the details of this vulnerability by Packet Storm-Security in this document on November 27, 2021. However, there is this CISA disclosure dated September 16, 2021 (revised to November 22, 2021), noting that APT actors are exploiting a newly identified vulnerability in ManageEngine ADSelfService Plus. Zoho released an update to Zoho ManageEngine ADSelfService Plus build 6114 on Sept. 6, 2021, to address the CVE-2021-40539 vulnerability.

So going through the timeline, there was a security update for Zoho ManageEngine ADSelfService Plus build 6114 on September 6, 2021, and corresponding warnings from CISA about cyberattacks by APT actors as early as September 16, 2021. From the colleagues at Bleeping Computer, I read here that Palo Alto Networks security researchers started looking for vulnerable servers as early as September 17, 2021. An analysis by Palo Alto Networks from November 7, 2021 can be found here

The patch problem

But at the ICRC, it seems IT didn't respond for a long time, and two months later, the incitend has happened. The ICRC writes that the attack occurred on Nov. 9, 2021, through the unpatched version of Zoho's ManageEngine ADSelfService Plus. This vulnerability allows attackers to place web shells and use them for further activities. Once the hackers penetrated ICRC-IT's network, they were able to deploy offensive security tools. These allowed the attackers to masquerade as legitimate users or administrators. This gave them access to the data even though it was encrypted.

ICRC's IT departments install tens of thousands of patches to existing systems each year because applying critical patches in a timely manner is essential to cybersecurity. But it follows the admission that this Zoho patch was not applied in time for the attack. The ICRC does have a multi-layered cyber defense system that includes endpoint monitoring, scanning software and other tools. In this case, post-attack analysis revealed that vulnerability management processes and tools did not prevent this breach. Immediate changes were made in these areas – but it was too late for the cyberattack.

The ICRC does not name anyone responsible for the cyberattack, nor does it say why the hack was carried out. According to its own statement, it does not want to indulge in speculation. There was also no contact with the hackers, according to the ICRC, and no ransom was demanded. But one can already speculate who is behind the attack. On January 26, 2022, I had a German blog post Verfassungsschutz warnt vor Cyberangriffen der chinesischen APT27. There the German intelligence service (Verfassungsschutz) warns of cyberattacks by Chinese APT27. The post included the note that the attackers already had knowledge of the vulnerabilities in the Zoho Manage Engine ADSelfService Plus software (CVE-2021-40539) before it became publicly known. 


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).