Published: February 23, 2022
On February 16, the International Committee of the Red Cross (ICRC) said they found a targeted attack almost a month after finding and announcing the intrusion.
It seems that the hackers had optimized the malware for the ICRC servers specifically and used different hacking tools to “disguise themselves as legitimate users or administrators.”
The ICRC believes their servers were first hacked on November 9, 2021. They detected the attack on January 18 and took the servers offline right after.
They figured out that the attack vector was a critical REST API authentication bypass in Zoho ManageEngine ADSelfService Plus, password management service, and single sign-on (SSO) platform.
The personal data is encrypted, but the ICRC said they believe it was accessed and probably exfiltrated. The data includes information about detainees, missing persons, their families, and other people receiving help from the Red Cross.
The organization announced that this had forced them to apply immediate changes to their security protocols.
However, they said they hadn’t found proof that the data had been traded or published. The organization has started notifying victims of the breach through calls, announcements, and trips to remote locations.
The ICRC also said they don’t think that the hackers had deleted any data besides accessing the data of 515,000 people.