The Red Cross Data Breach exploited a ManageEngine vulnerability by APT27

The Red Cross Data Breach made the headlines last month, after the hack on its network and accused state sponsored hackers of the take down. In this update to the breach, the Red Cross mentioned that the attack happened on November 09, 2021 and it was identified only on Jan 18.

The attackers were able to breach the network by exploiting the CVE-2021-40539 vulnerability on Zoho ManageEngine ADSelfService Plus version 6113 and its prior versions that was vulnerable to the REST API authentication bypass allowing remote code execution.

Details on the ManageEngine Software

ADSelfService Plus is a password management and Single Sign-On (SSO) software from a Indian SaaS firm. The vulnerability in this tool allowed hackers to bypass authentication, drop web shells on the servers and then make a lateral distribution across their network while compromising admin credentials. Furthermore, the hackers compromised Restoring Family Links, a Red Cross Program used by volunteers to reunite family members separated due to disaster, conflict or migration.

After the breach last month, Robert Mardini, Director General of the International Committee of the Red Cross begged hackers not to leak the personal information of those subjects as it belongs to highly vulnerable people who have already gone through so much in their life time. The breached information starting with names, addresses, reason for separation, location, contact details and other details belongs to 515,000 separated individuals.

Hackers behind the Red Cross Data Breach

As per the Red Cross, the entity behind the data breach is found to be a Advanced Persistent Treat (APT) Group based on the hacking tools involved in the incident. APT is usually a state-sponsored hacking group that operates for social or political reasons.

Furthermore, the Red Cross had the following beak-down to accuse APT group,

• The attack was carried out using a specific set of hacking tools designed for intrusions. The tools are similar to the APT group modus operandi and are not available for in the web.
• Sophisticated obfuscation techniques were employed to keep the malicious program invisible, which requires high skill.
• The attack is a targeted act as the codes were created specifically for ICRC servers and the unique identifiers used by the hackers matches the MAC address of the Red Cross Servers.
• The malicious programs escaped security solutions that are meant to detect the breach. Those programs had bypassed antivirus solutions except for a few files, which we believe should be negligible amount of other malicious programs. Only after the installation of Endpoint Detection and Response (EDR) agents on our devices we were able to identify the breach.

It was found that the attackers were inside the organization’s network for more than two months until the EDR detected the same last month. However, as per Palo Alto Networks Report that was published on November 2021 has connected a similar Zoho Vulnerability to a Chinese State-Sponsored Hacker as APT27.

Following the Red Cross Data Breach news, the German Government published a security warning for state and private companies about the APT27 attack that is leveraging Zoho vulnerability. These cases bring us closer to the entity behind the Red Cross Data Breach mapping it to APT27.

The US State Department made the following statement on Red Cross Data Breach last month, “Targeting the Red Cross and Red Crescent Movement’s sensitive and confidential data is a dangerous development.  It has real consequences: this cyber incident has harmed the global humanitarian network’s ability to locate missing people and reconnect families.  This is why it is so vital that humanitarian data be respected and only used for intended purposes. To ensure states and vulnerable people can continue to trust and rely on the Red Cross and Red Crescent Movement for the help they need, states should join the ICRC in raising the alarm about this breach”.

When hackers have started targeting organizations like the ICRC then this becomes a major concern, as they are not after monetary benefits but even more nefarious thought of disrupting the society, political stability and humanity as a whole.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.