The January 2022 International Committee of the Red Cross (ICRC) data breach was caused by an unpatched critical vulnerability in the Single Signe-In tool developed by Zoho, a business software development company.
After exploiting the vulnerability (tracked as CVE-2021-40539), the cybercriminals deployed offensive security tools to help gain access to ICRC's contact database, resulting in the compromise of more than 515,000 globally.
Offensive security tools are used by penetration testers to discover system vulnerabilities that could be potentially exploited by cybercriminals.
The sophistication of these offensive tools and obfuscation techniques adopted to prevent detection is only privy to a small number of Advanced Persistent Threat (APT) groups, suggesting this was likely a State Sponsored attack.
Learn about Advanced Persistent Threats >
"The hackers made use of considerable resources to access our systems and used tactics that most detection tools would not have picked up."
- Excerpt from ICRC's data breach statement.
How Did the Red Cross Data Breach Happen?
The following sequence likely led to the Red Cross data breach.
- State-Sponsored hackers target a Swiss contractor used to store data for the International Committee of the Red Cross.
- Network access is achieved by exploiting unpatched critical vulnerability CVE-2021- 40539.
- Offensive security tools are deployed, disguising the threat actors as legitimate internal users.
- Offensive tools masking the threat actors as administrators permit access to a database of 515,000 people, despite it being encrypted. Among the compromised data were details of individuals receiving services from the International Red Cross and Red Crescent Movement due to armed conflict, natural disasters, or migration.
- 70 days after the breach, ICRC's third-party cybersecurity service detects a suspicious anomaly on ICRC servers containing sensitive data.
- A deep dive into the anomaly confirms the compromise of ICRC's server and the sensitive data contained therein on 9 November 2021.
- Compromised servers are taken offline.
See how your organization's security posture compares to the ICRC's.
View ICRC's security report.
How to Prevent an Incident lIke the Red Cross Data Breach
A series of important lessons can be learned from the Red Cross data breach. Applying them to your cybersecurity program could help your organization avoid a similar fate.
1. Commit to a Rigorous Security Patch Program
ICRC's vulnerability management processes failed to detect and address the exploit that led to this data breach - an oversight likely resulting from the difficulty of managing ICRC's complex, large-scale patching processes, which address tens of thousands of patches across multiple systems annually.
Unfortunately, cybercriminals are not sympathetic to complex cybersecurity problems. They will take advantage of whatever exploit they discover - especially when their attacks are well-planned and targeted, which seems to be the case in this instance.
Re-evaluate your current vulnerability patching routine to ensure it can rapidly address new critical vulnerabilities published on the National Vulnerability Database (NVD).
2. Follow a Regular Penetration Testing Schedule
Despite having a multi-level cyber defense system in place comprising of endpoint monitoring and scanning software, ICRC was still breached. While it's fair to attribute the success of the attack to unusually sophisticated hacking techniques rather than the insufficiency of ICRC's cybersecurity program, this event highlights the importance of having backup processes for detecting security exploits should internal efforts fail.
Establish a regular penetration testing schedule for detecting network, system, and application vulnerabilities across your entire IT ecosystem. Pen testing methods should be commensurate to the complexity of cyberattacks likely to target your organization. High data breach risks industries, such as finance, healthcare, and technology, should assume they will be targeted by highly-complex cyber attackers.
If you prefer to manage pen testing internally rather than outsourcing to a third-party, here are some offensive security tools you should be aware of:
- Metasploit: An open-source framework for developing, testing, and executing exploits
- Nessus: A vulnerability scanner that can identify and assess vulnerabilities in networks and systems
- Maltego: A tool for open-source intelligence and forensic analysis
- Aircrack-ng: A suite of tools for wireless network cracking
- Cain and Abel: A password cracking tool
- John the Ripper: A fast password-cracking tool
- Social Engineer Toolkit (SET): A tool for performing social engineering attacks
3. Implement Advanced Persistent Threat Controls.
To defend against APTs, it is important to implement a multi-layered security strategy that includes the following:
- Network segmentation: Segmenting your network into smaller subnets to obfuscate lateral movement and sensitive resource detection.
Learn the top network segmentation best practices >
- Regular risk assessments: Identifying vulnerabilities in both your internal and third-party network to identify attack vectors facilitating potential malware injections
Learn more about risk assessments >
- Advanced threat detection solutions: Utilizing advanced threat detection and response solutions, such as intrusion detection and prevention systems (IDPS) and endpoint detection and response (EDR) solutions.
- Security awareness and education: Educating your employees about the risks of APTs and how to identify and report suspicious activity.
- Regular backups: Regularly backing up your data to expedite recovery if systems are compromised.
- Regular software updates and patching: Keeping all software and systems updated and patched to prevent exploitation through known vulnerabilities.
- Implementing an incident response plan: Having an incident response plan to ensure calculated response efforts following a breach.
Learn how to create an Incident Response Plan >