Red Cross servers ‘were hacked via unpatched ManageEngine flaw’

The Red Cross has revealed that personal data belonging to more than half a million “highly vulnerable” people was compromised via the abuse of an unpatched vulnerability.

Nearly a month after detecting and disclosing the intrusion, the International Committee of the Red Cross (ICRC) said on Wednesday (February 16) that its investigation had encountered a “highly sophisticated and targeted” attack.

Attackers had optimized malicious code for ICRC servers and anti-malware defenses, deployed sophisticated obfuscation techniques, and used hacking tools “primarily used by advanced persistent threat groups” in order to “disguise themselves as legitimate users or administrators”, said the humanitarian organization.

Lessons learned

The ICRC said it took compromised servers offline after detecting the attack on January 18. It believes its servers were hacked on November 9, 2021.

The attack vector was apparently a critical REST API authentication bypass in Zoho ManageEngine ADSelfService Plus, a password management and single sign-on (SSO) platform, that was patched in September 2021.

The failure to apply the fix for this remote code execution (RCE) threat has prompted “immediate changes” to vulnerability management processes and tools, said the ICRC, as well as the acceleration of security improvements already in place.

BACKGROUND Red Cross suffers cyber-attack – data of 515,000 ‘highly vulnerable’ people exposed

Despite being encrypted, personal data such as names, locations, and contact information of more than 515,000 people from across the world was accessed and likely exfiltrated, said the ICRC.

Data breach victims include “missing people and their families, detainees, and other people receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters, or migration”.

The ICRC, which provides medical and other assistance to those impacted by conflict and war internationally, said it had found no evidence that the data has been “published or traded” or that the threat actors had deleted any data from its networks.

The “complex” process of notifying victims involves not just phone calls, hotlines, public announcements, and letters but also, in some cases, Red Cross teams traveling to remote communities to inform people in-person, it said.

‘Low-tech solutions’

The data relates to the activities of Restoring Family Links, a Red Cross program dedicated to reuniting families caught up in conflicts or natural disasters.

The program was initially paused in the wake of the attack, but ICRC director-general Robert Mardini said in an open letter: “We have managed to ensure that the vital work of locating missing family members has continued, albeit at minimal service levels, through low-tech solutions (using simple spreadsheets, for example), while we work toward resuming full service with enhanced security features.”

The Red Cross presents itself as “neutral, impartial, and independent” in order to discourage attacks against its personnel during conflicts – and ICRC director-general Robert Mardini called for its neutrality to be recognized in the digital arena.

“We will now strengthen our engagement with states and non-state actors to explicitly demand that the protection of the Red Cross and Red Crescent Movement’s humanitarian mission extends to our data assets and infrastructure,” he said. “We believe it is critical to have a firm consensus – in words and actions – that humanitarian data must never be attacked.”