FireEye Discloses Breach – Theft of Cybersecurity Tools

On December 8, 2020, FireEye – a $3.5 billion enterprise – disclosed theft of their Red Team tools. Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks. FireEye says the hackers now have an influential collection of new techniques to draw upon. The stolen Red tools did not contain zero-day exploits.

“We hope that by sharing the details of our investigation, the entire community will be better equipped to fight and defeat cyber-attacks,” Mr. Kevin Mandia, CEO, FireEye wrote. As of now, there have been no evidence of these hacked tools being publicly used in the wild to exploit. The stolen computer tool kit targets a myriad of different vulnerabilities in popular software products. The race is on to get the warnings out there before the hackers take advantage.

Though there is no clarity on the exact list of affected systems, there is a prioritized list of some CVEs that was published on Github by FireEye.

CVE Name CVSS QID(s)
CVE-2019-11510 pre-auth arbitrary file reading from Pulse Secure SSL VPNs 10.0 38771
CVE-2020-1472 Microsoft Active Directory escalation of privileges 10.0 91680,91668
CVE-2018-13379 pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN 9.8 43702
CVE-2018-15961 RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) 9.8 371186
CVE-2019-0604 RCE for Microsoft Sharepoint 9.8 110330
CVE-2019-0708 RCE of Windows Remote Desktop Services (RDS) 9.8 91541, 91534
CVE-2019-11580 Atlassian Crowd Remote Code Execution 9.8 13525
CVE-2019-19781 RCE of Citrix Application Delivery Controller and Citrix Gateway 9.8 150273, 372305
CVE-2020-10189 RCE for ZoHo ManageEngine Desktop Central 9.8 372442
CVE-2014-1812 Windows Local Privilege Escalation 9.0 91148, 90951
CVE-2019-3398 Confluence Authenticated Remote Code Execution 8.8 13475
CVE-2020-0688 Remote Command Execution in Microsoft Exchange 8.8 50098
CVE-2016-0167 local privilege escalation on older versions of Microsoft Windows 7.8 91207, 91204
CVE-2017-11774 RCE in Microsoft Outlook via crafted document execution (phishing) 7.8 110306
CVE-2018-8581 Microsoft Exchange Server escalation of privileges 7.4 53018

 

 

 

CVE-2019-8394 Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus 6.5 374547

Workaround

Fortunately, FireEye knows their hacking tools and hopefully, also knows to defend against them. FireEye has published a Github repository that includes countermeasure rules in multiple languages such as Snort, Yara, ClamAV and HXIOC.

FireEye also shared a spreadsheet in the light Virustotal retrohunt results for the YARA rules it published.

Qualys Detection

Qualys customers can scan their network with QID(s) 38771,  91668, 91680, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91204, 110306, 53018 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References and Sources

https://github.com/fireeye/red_team_tool_countermeasures

https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md

https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html

https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html

https://github.com/Museon23/Fireeye_Red_CVE_Tenable_countermeasures/blob/main/Fireeye_Tenable_PluginIDs.txt

https://telecom.economictimes.indiatimes.com/news/u-s-cybersecurity-firm-fireeye-discloses-breach-theft-of-internal-hacking-tools/79635850

https://www.bbc.com/news/world-us-canada-55240408

https://docs.google.com/spreadsheets/d/1uRAT-khTdp7fp15XwkiDXo8bD0FzbdkevJ2CeyXeORs/edit#gid=696675697

3 thoughts on “FireEye Discloses Breach – Theft of Cybersecurity Tools”

Leave a Reply

Your email address will not be published. Required fields are marked *