Red Cross hackers exploited Zoho vulnerability to gain entry

The attack on the International Red Cross Committee that saw highly sensitive personal data belonging to over 515,000 vulnerable people accessed was done with code designed to run solely on the humanitarian organisation's servers, a forensic analysis has determined.

ICRC technical analysis has established that the attackers used custom code that would identify the organisation's servers with their unique media access control (MAC) network addresses, and execute solely on those.

Although ICRC's anti-malware solution detected and blocked some of the attackers' files, most of the malicious code deployed was specifically crafted to bypass defence measures, the technical analysis done by a specialist cyber security company showed.

The attackers used sophisticated obfuscation techniques to hide and protect their malicious programs, the ICRC said.

This requires a high level of skills, and the ICRC said the tools in the hack are used by advanced persistent threat (APT) actors.

To get into the servers, the hackers exploited the CVE-2021-40539 vulnerability in the Zoho business tool provider's ADSelfService Plus authentication module to place webshells on unpatched servers.

Once in the network, the attackers were able to perform further reconaissance and compromise administrator credentials, move laterally and exfiltrate Windows Server registry system configuration database hives and Active Directory files.

By deploying offensive security tools that allowed the hackers to disguise themselves as legitimate users and administrators, the hackers were allowed to access the sensitive Restoring Family Links (RFL) database and its contents, even though it was encrypted.

The ICRC discovered the attack on January 18 this year, but the analysis points to the hackers breaching the servers on November 9 2021, the ICRC said.

It is not clear at this stage who is behind the hack, but the ICRC reiterated its call to the threat actors to not share, sell, leak or othertwise use the data.

The Australian Red Cross is contacting clients that may have been caught up in the breach.