On December 8, 2020, FireEye – a $3.5 billion enterprise – disclosed theft of their Red Team tools. Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks. FireEye says the hackers now have an influential collection of new techniques to draw upon. The stolen Red tools did not contain zero-day exploits.
“We hope that by sharing the details of our investigation, the entire community will be better equipped to fight and defeat cyber-attacks,” Mr. Kevin Mandia, CEO, FireEye wrote. As of now, there have been no evidence of these hacked tools being publicly used in the wild to exploit. The stolen computer tool kit targets a myriad of different vulnerabilities in popular software products. The race is on to get the warnings out there before the hackers take advantage.
Though there is no clarity on the exact list of affected systems, there is a prioritized list of some CVEs that was published on Github by FireEye.
| CVE | Name | CVSS | QID(s) |
| CVE-2019-11510 | pre-auth arbitrary file reading from Pulse Secure SSL VPNs | 10.0 | 38771 |
| CVE-2020-1472 | Microsoft Active Directory escalation of privileges | 10.0 | 91680,91668 |
| CVE-2018-13379 | pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN | 9.8 | 43702 |
| CVE-2018-15961 | RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) | 9.8 | 371186 |
| CVE-2019-0604 | RCE for Microsoft Sharepoint | 9.8 | 110330 |
| CVE-2019-0708 | RCE of Windows Remote Desktop Services (RDS) | 9.8 | 91541, 91534 |
| CVE-2019-11580 | Atlassian Crowd Remote Code Execution | 9.8 | 13525 |
| CVE-2019-19781 | RCE of Citrix Application Delivery Controller and Citrix Gateway | 9.8 | 150273, 372305 |
| CVE-2020-10189 | RCE for ZoHo ManageEngine Desktop Central | 9.8 | 372442 |
| CVE-2014-1812 | Windows Local Privilege Escalation | 9.0 | 91148, 90951 |
| CVE-2019-3398 | Confluence Authenticated Remote Code Execution | 8.8 | 13475 |
| CVE-2020-0688 | Remote Command Execution in Microsoft Exchange | 8.8 | 50098 |
| CVE-2016-0167 | local privilege escalation on older versions of Microsoft Windows | 7.8 | 91207, 91204 |
| CVE-2017-11774 | RCE in Microsoft Outlook via crafted document execution (phishing) | 7.8 | 110306 |
| CVE-2018-8581 | Microsoft Exchange Server escalation of privileges | 7.4 | 53018
|
| CVE-2019-8394 | Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus | 6.5 | 374547 |
Workaround
Fortunately, FireEye knows their hacking tools and hopefully, also knows to defend against them. FireEye has published a Github repository that includes countermeasure rules in multiple languages such as Snort, Yara, ClamAV and HXIOC.
FireEye also shared a spreadsheet in the light Virustotal retrohunt results for the YARA rules it published.
Qualys Detection
Qualys customers can scan their network with QID(s) 38771, 91668, 91680, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91204, 110306, 53018 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References and Sources
https://github.com/fireeye/red_team_tool_countermeasures
https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md
https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html
Hi Guys
Looks like there are two typos in the QIDs in this list (https://threatprotect.qualys.com/2020/12/09/fireeye-multiple-vulnerabilities/)
I found that when doing a search for creating a search list:
91688 doesn’t exit but 91668 does, using CVE-2020-1472 search
91207 doesn’t exist but 91204 does, using CVE-2016-0167 search
Could you confirm?
why the search using CVEs yield more results that using QIDs?
the correct QID for CVE-2020-1472 is 91668