[BreachExchange] Hackers Had Access to Red Cross Network for 70 Days

[Terrell Byrd]

https://www.securityweek.com/hackers-had-access-red-cross-network-70-days

One month after disclosing a data breach that affected roughly 515,000
people, the International Committee of the Red Cross (ICRC) announced that
the hackers had access to its network for 70 days before the attack was
discovered.

The attackers gained access to the Red Cross network on November 9, 2021,
by exploiting CVE-2021-40539, a critical-severity authentication bypass
flaw in Zoho’s ManageEngine ADSelfService Plus, ICRC explains in an updated
FAQ.

ICRC says the attackers employed various techniques to pose as legitimate
users and hide their presence in the environment, and to steal personal
information such as names, contact details, and location.

“This was a sophisticated attack – a criminal act – breaching sensitive
humanitarian data. We know that the attack was targeted because the
attackers created code designed solely for execution on the concerned ICRC
servers, a technique we believe was designed to shield the hackers´
activities from detection and subsequent forensic investigations,” ICRC
says.

No further details on the threat actor behind the attack were provided, but
investigative journalist Brian Krebs says that a hacker claiming to be in
possession of stolen Red Cross data might be linked to an Iranian influence
operation.

The hacker, Krebs says, registered an account on an underground forum using
an email address that was also used to register multiple domain names that
were associated with said influence campaign.

Despite the hacker’s attempt to sell access to the Red Cross data, ICRC
says that, to its knowledge, “the information has not been published or
traded at this time.”

In a statement this week, ICRC says it has been working with Red Cross and
Red Crescent National Society partners to inform all of those who had their
data compromised in the incident, to “mitigate the risks they may face.”

“Those affected include missing people and their families, detainees and
others receiving services from the Red Cross and Red Crescent Movement as a
result of armed conflict, natural disasters, or migration,” ICRC says.

On their FAQ page, ICRC says it has had no contact with the attackers and
has received no ransom demand, but notes that it is willing to interact
with the attackers, “to impress upon them the need to respect our
humanitarian action.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220218/17c888ce/attachment.html>