SecureWorld News

515,000 'Highly Vulnerable' People Exposed in Red Cross Cyberattack

Written by Drew Todd | Thu | Jan 20, 2022 | 9:42 PM Z

With great power comes great responsibility.

Some cybersecurity professionals choose to use their highly valuable skills for legitimately good causes, as we have recently seen the ethical hacker community come together to assist the Department of Defense and other government agencies in identifying Log4j vulnerabilities and exploits. These are the good guys fighting to make the average person's life just a little bit safer.

On the other side, there are those who choose to use their skills in a less ethical way to profit off of organizations through ransomware attacks and other cybercrimes. 

Then there are the malicious actors who operate with practically zero ethics and are motivated less by making a quick buck than by causing chaos and disruption.

The Red Cross, the non-profit humanitarian organization that provides emergency assistance and relief to people around the world, has become the latest victim to these bottom-feeding scum of cybercriminals.

Red Cross targeted in 'sophisticated' cyberattack

The International Committee of the Red Cross (ICRC) reported it has experienced a sophisticated cyberattack against its servers and that confidential information of more than 515,000 "highly vulnerable" individuals was exposed.

This includes people who have been separated from their families due to conflict, migration, and disaster, missing persons and their families, and people in detention.

The ICRC notes that its most pressing concern is the risks that come with a breach like this, mainly confidential information being shared publicly. 

According to Robert Mardini, the ICRC's Director-General:

"An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure. We are all appalled and perplexed that this humanitarian information would be targeted and compromised. This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk.

While we don't know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them.

Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world's least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.

Every day, the Red Cross Red Crescent Movement helps reunite on average 12 missing people with their families. That's a dozen joyful family reunifications every day. Cyberattacks like this jeopardise that essential work."

Why would cybercriminals target the Red Cross?

When cybercriminals are looking for potential targets, one of the primary factors they consider is how much money they could possibly extort from the organization.

So why target a non-profit like Red Cross? The answer may lie in the sensitive data the organization collects.

Archie Agarwal, Founder and CEO at ThreatModeler, discusses why he thinks the Red Cross was targeted:

"Organizations may not see themselves as targets because they don't have the revenue of a Fortune 500 company, but may still be ripe targets because of the cache of data they own.

Perhaps attackers thought personal information of a half a million individuals the Red Cross serves were valuable because these victims might be less able to defend themselves when compromised. Perhaps the ICRC's supplier simply had publicly assessable systems with obviously poor hygiene and were a target of opportunity."

This is certainly a reasonable explanation, considering how easy it would be for the savvy threat actor to social engineer these people.

Just put yourself in the shoes of one of the 515,000 people whose information was exposed. You have a missing family member or friend and receive an email from "Red Cross" claiming to have information on that individual.

Of course you are going to open the email, possibly click on a link, and maybe even give money to this "Red Cross" for more information because  these people have probably never had any security awareness training, they are just unassuming citizens in need of help.

But it's not just this Red Cross incident. We are starting to see these types of cyberattacks more frequently. Tim Wade, Technical Director of the CTO Team at Vectra, discusses:

"While some cybercriminal groups have rules to keep organizations like the Red Cross out of the line of fire, this isn't a universally adopted position. This attack seems to have little financial gain for the cybercriminals behind it, but we're increasingly seeing attacks that are just as much about disruption, fear, and discrediting opposing ideologies instead of making money. Regardless of whether this was targeted or merely opportunistic, it's clear that every organization faces some level of material cyberthreat today."

This is yet another humbling reminder that no organization is immune to cyberattacks, and that everyone must diligently prepare for these threats.

UPDATE 2/18/22

The ICRC has recently provided an update on the situation, stating that the attack started with hackers exploiting an unpatched vulnerability, CVE-2021-40539. They also discuss how the attack was highly sophisticated and targeted:

"The attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat groups, are not available publicly and therefore out of reach to other actors.

The attackers used sophisticated obfuscation techniques to hide and protect their malicious programs. This requires a high level of skills only available to a limited number of actors.

We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address).

The anti-malware tools we had installed on the targeted servers were active and did detect and block some of the files used by the attackers. But most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response (EDR) agents as part of our planned enhancement programme that this intrusion was detected."