The International Committee of the Red Cross (ICRC) reported that the hacking of the organization’s servers revealed last month was most likely the work of a hacker group working for the government.
As a result of the attack, the attackers gained access to personal information (names, location and contact details) of more than 515 thousand participants in the program for the reunification of family members separated due to war, natural disasters or migration.
To hack servers, hackers used tactics, custom hacking tools “designed for offensive security”, and obfuscation techniques to bypass detection, which APT groups usually use.
The fact that the attack was targeted is evidenced by the use of “code developed exclusively for execution on the attacked ICRC servers.” In addition, most of the deployed malicious files were created in such a way as to bypass the anti-virus solutions used by the ICRC. The attack was detected only when the organization installed EDR agents on its endpoints.
As it turned out during the investigation, the attackers had access to the servers for 70 days after receiving initial access on November 9, 2021.
To hack the network, hackers exploited an uncorrected vulnerability CVE-2021-40539 in the corporate password manager Zoho ManageEngine ADSelfService Plus, which allowed them to remotely execute the code without authorization.
Having gained access to the network, the attackers deployed penetration testing tools, which allowed them to impersonate legitimate users and administrators. Thus, hackers could access the data despite the fact that it was encrypted.
The Red Cross does not attribute the attack to any particular cybercrime group, however, at least one exploiting the vulnerability CVE-2021-40539 is known. Earlier, Palo Alto Networks specialists linked the exploitation of a vulnerability in Zoho ManageEngine ADSelfService Plus with the APT27 grouping funded by the Chinese government.