A month after the disruptive data breach, Red Cross has shared more details about the cyberattack. It turns out that the incident happened due to the threat actors exploiting a Zoho vulnerability.
Red Cross Cyberattack Update
As revealed, the attackers employed stealth infiltration measures to evade detection during the attack. These include using advanced, sophisticated hacking tools typically used by APT groups. Then, the attackers applied obfuscation techniques to keep their malware under the radar.
These sophistications and the use of advanced tools hint that the threat actors do not belong to common hacker groups. Instead, it all appears a carefully-targeted attack from the rarer group(s) of advanced threat actors.
Regarding how ICRC determined the targeted nature of the attack, the post reads,
We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address).
Although, ICRC’s antimalware solutions on servers did block some of the malicious files. Yet, the carefully crafted files largely escaped ICRC’s detection tools. Hence, the organization could only figure out the attack after employing advanced EDR agents.
Initially, the ICRC’s cybersecurity partner firm detected the server intrusion, making the organization realize the attack that supposedly happened on November 9, 2021.
Zoho Flaw Exploited For The Attack
And now, investigations have revealed that the attackers managed to infiltrate the organization’s network by exploiting a Zoho vulnerability (CVE-2021-40539). While the vendors have already patched the bug, ICRC failed to apply the patch in time, thus leaving its systems vulnerable.
Regarding how the bug led to the intrusion, the organization explained,
This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted.
While these details have been clarified, the attackers’ identity remains unknown. Red Cross confirmed having received no ransomware or similar demands. Nor have they found any evidence regarding a data leak on the dark web. Nonetheless, they still request the hackers to refrain from abusing the data of 515,000 vulnerable people.