A Cybersecurity incident can happen to anyone, but this (not much talked about) attack might be more serious than initially thought. It went on as a perfect storm: sensitive data of +500.000 people mixed in a database without intrusion detection or patch management. The result? a data leak and an international appeal to protect the affected people. Now let’s hope this information doesn’t fall into the wrong hands.

TL;DR

• At the beginning of January, the ICRC announced they were the target of a cyber-attack that led to a data breach of a database with +500.000 refugees

• Hackers gained access in November 2021, Red Cross only noticed in mid-January 2022, roughly 70 days after

• Login information for about 2,000 Red Cross and Red Crescent staff and volunteers who work on these programs were also breached

• The refugee data is used to find and inventory people. This means it contains, for example, the location of people that were being pursued in their home countries

• Inside their explanation post, the Red Cross said the attackers gained access to the servers through an exploit of a vulnerability in Zoho CRM

The attack

In January 2022, the ICRC informed about the discovery of a hack on their infrastructure. This attack led to the database holding the refugee information collected in the field by the Red Cross agents being leaked.

According to the initial communication, the hack happened in November 2021 and the attackers exploited a known vulnerability on an on-premises ZoHo CRM instance. The vulnerability was disclosed in September 2021, roughly 2 months before the attack, and 3 months before ICRC noticed something was wrong. Also in the ICRC communication, they described the attack as "sophisticated" and only at the reach of some state agents due to the usage of specific software developed for the ICRC IT environment.

The attack used a known vulnerability on the ZoHo CRM (CVE-2021-40539) that allowed remote code execution on the server. This CVE was released at the beginning of September, more than 3 months before ICRC noticed something was wrong. With this vulnerability, an attacker could create a crafted Rest API URL to bypass a security filter due to an error in URL normalization, allowing them to execute arbitrary code. The vulnerability affected ADSelfService Plus builds up to 6113 and was rated as “Critical” with a score of 9.8.

So does it matter if the attack was sophisticated? not much. The Red Cross team had almost two months between the patch release and the date where the breach happened. If you’re holding a database with this amount of personal and sensitive information, you can’t take it easy.

What information was accessed?

The breach included personal data such as names, locations, and contact information of more than 515,000 refugees from across the world. This includes missing people and their families, detainees, and other people receiving services from the Red Cross and Red Crescent Movement due to armed conflict, natural disasters, or migration.

According to the red cross, the data was not deleted from the database. There are also no signs of the information being sold or ransom demands.

And the consequences?

This is where this breach is particularly complicated because States have mandated organizations such as the ICRC to execute many actions in the field. One of those is to collect information on people reported missing to reconnect separated family members - the Red Cross estimate they can reconnect about 12 people a day back to their families.

As a result of this breach, ICRC had to take systems offline, which limited the humanitarian services they could offer in the field, including the search for the missing people. Moreover, to reconnect the missing individuals with their families, the Red Cross holds the names, locations, and other relevant information in a database. Needless to say that some of these people disappeared because they are fleeing persecution in their home countries, so this database could give away their locations and risk their lives.

What could have the Red Cross done better?

It’s easy to criticize when you’re seeing it from the outside, but having understood the entry point of the attack, we can extract some conclusions:

• Patch management - it’s important to quickly respond to the releases of patches. Critical patches (such as CVE-2021-40539) need to be deployed to production immediately. Five days might be already too much.

• Intrusion Detection / Intrusion Protection Systems (IDS/IPS) - Even if you don’t patch your server, knowing if someone is browsing through the data is useful.

• Centralized log management - continuation of the above. Centralizing your log efforts is very important in a complex network.

• Vendor management - it does seem like the server was managed by a subcontractor and not by the ICRC directly. Contractually obliging the supplier to respond to patches is crucial in cases like this. Also, make sure you have a clear channel of communication with the software editor. Having an RSS feed of all Zoho news could make you aware of security updates quicker.

Other measures:

• Encrypt data in the database (ZoHo offers this feature)

• Restrict IP access to the application

• Regularly pentest the instance

Sources:

• ICRC.org

• NIST

• Security Affairs

• CISA.gov