Red Cross traces hack back to unpatched Zoho vulnerability

The International Committee of the Red Cross (ICRC) released more details about a hack they discovered last month, tying the incident back to an authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.

Tagged as CVE-2021-40539, the vulnerability was spotlighted by several companies last year, including Microsoft, Palo Alto Networks, and Rapid7. Both the US Cybersecurity and Infrastructure Security Agency (CISA) and the German Federal Office for the Protection of the Constitution (BfV) released warnings that APT groups were exploiting the issue. 

In a joint advisory from September, CISA, the FBI, and the US Coast Guard Cyber Command said APT actors had already used CVE-2021-40539 to target “academic institutions, defense contractors and critical infrastructure entities in multiple industry sectors — including transportation, IT, manufacturing, communications, logistics, and finance.”

In a statement on Wednesday, the ICRC admitted that it failed to apply the patch for CVE-2021-40539 before they were initially attacked on November 9, just one day after Microsoft warned that DEV-0322, a group operating out of China, was exploiting the vulnerability. 

“The attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat groups, are not

Read More: