The recent cyberattack against the International Committee of the Red Cross (ICRC) was not a supply chain attack, as initially thought. Instead, it came as a result of an abused unpatched high severity vulnerability.
The news was confirmed by the ICRC, which said in an updated blog post that the attackers were, most likey, state-sponsored, but did not point any fingers at any particular Advanced Persistent Threats (APT).
However TechCrunch found researchers from Palo Alto Networks discovered the Chinese abusing the same vulnerability elsewhere.
Stealing data
The researchers found that whoever was behind the attack did not target an ICRC contractor, but instead exploited an unpatched critical vulnerability in an authentication module, a flaw tracked as CVE-2021-40539.
The flaw allowed the attackers to place web shells, and conduct post-exploitations acts such as compromising admin credentials, moving laterally across the network, and exfiltrating data from endpoints.
“Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This, in turn, allowed them to access the data, despite this data being encrypted,” the ICRC’s blog post reads.
The ICRC also said that the attack was not accidental, or that the attackers chose them simply because of the unpatched vulnerability. Instead, the ICRC was specifically targeted “because the attackers created code designed solely for execution on the concerned ICRC servers.”
The malware created for this attack was tailor-made for ICRC’s infrastructure and its antivirus software.
The ICRC was also able to pinpoint, more precisely, exactly when the attack took place. Initially, the organization believed the attack occurred in January, but it now believes late November is a more accurate estimate.
In total, the data on more than 515,000 “highly vulnerable” people was taken.
So far, the report reads, there have been no signs of the data being shared, or sold, anywhere, and the ICRC has not received any ransom demand.
“It is our hope that this attack on vulnerable people’s data serves as a catalyst for change,” Robert Mardini, the director-general of the ICRC, said in a statement. “We will now strengthen our engagement with states and non-state actors to explicitly demand that the protection of the Red Cross and Red Crescent Movement’s humanitarian mission extends to our data assets and infrastructure.
“We believe it is critical to have a firm consensus — in words and actions — that humanitarian data must never be attacked.”
Via: TechCrunch