The International Committee of the Red Cross (ICRC) has determined the cause of last month’s cyber attack. An authentication module turned out not to be patched. The failure to install this security update allowed the attackers to exploit a zero-day exploit in the software.
Hackers steal personal data half a million people
In January, the headquarters of the International Committee of the Red Cross in Geneva was the target of a cyber attack. Hackers had access to personal and privacy-sensitive data of 515,000 refugees and other ‘extremely vulnerable people. Among them, more than 4,600 people have knocked on the door of the Dutch Red Cross branch in the past. The attackers also managed to steal the login details of about 2,000 employees and volunteers.
After the data breach came to light, the ICRC was initially able to provide few details about the cyber attack. Mardini suspected that it was a targeted attack on the Red Cross. He indicated that he wanted to enter into discussions with the perpetrators, but that has not yet happened. There is still no ransom demanded to get the data back. To the best of our knowledge, no personal data or passwords have been made public.
Security update not installed
On Wednesday, Mardini came up with new details about the cyber attack. On the ICRC website, the CEO writes that the hackers have exploited a security vulnerability in the authentication module Zoho ManageEngine ADSelfService Plus. The Red Cross uses this software to reset passwords required to access Active Directory and cloud applications.
Software developer Zoho was aware of the vulnerability, which is classified as a zero-day exploit. This means that the leak has existed since the product’s launch, but was not yet known to the manufacturer at the time. In early September, Zoho released a patch for the vulnerability, also known as CVE-2021-40539. However, it had not yet been installed by the Red Cross. Why this did not happen at the time is unclear.
“Every year we perform tens of thousands of patches on all our systems. Applying critical patches in a timely manner is essential for our cybersecurity, but unfortunately, we did not apply this patch in time before the attack took place,” said Mardini.
Red Cross comes with additional security measures
The data breach at the Red Cross came to light on January 18. However, their own investigation shows that the perpetrators already had access to the ICRC servers on 9 November last year. According to Mardini, the attackers used “advanced hacking tools” that are not available to the general public. They also went to great lengths to hide their identities and rogue programs. According to the director, this means that the attackers had technical knowledge and expertise.
After IT employees came across the vulnerability, they immediately took the affected servers offline. As an additional security measure, the Red Cross is introducing two-factor authentication and an advanced Threat Detection Solution.
Catch up on more articles here
Follow us on Twitter here