The Red Cross said the attack began on November 9 and involved an authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus.