FireEye red team tools stolen in cyber attack
While no zero-day exploits were included in the red team tools, FireEye released detection rules and known vulnerabilities to help organizations defend themselves.
FireEye is urging organizations to take precautions after suspected nation-state hackers breached the security vendor and stole its red team tools.
The massive cyber attack, which FireEye disclosed Tuesday, was perpetrated by "a nation with top-tier offensive capabilities," CEO Kevin Mandia wrote in a blog post. As part of the cyber attack, FireEye's red team tools were stolen, which, as a second post released Tuesday evening explained, are tools used in red teaming exercises to demonstrate the "impacts of successful attacks" for clients.
"The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. Many of the Red Team tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM," the latter blog post read. "Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team."
FireEye said none of the tools contain zero-day exploits, utilizing instead "well-known and documented methods that are used by other red teams around the world." While they don't expect the threat actors' capabilities to greatly advance as a result of the attack, they are "doing everything it can to prevent such a scenario." One way the company is doing this is by offering a list of over 300 countermeasures for customers, which were posted to GitHub. FireEye also implemented various countermeasures into its own security products.
The GitHub countermeasure post lists 16 common vulnerabilities and exposures (CVEs) that FireEye recommends be addressed first to limit the effectiveness of the Red Team tools. The list includes the following:
- CVE-2019-11510 -- A critical arbitrary file disclosure vulnerability involving the Pulse Connect Secure VPN. It received a base Common Vulnerability Scoring System (CVSS) score of 10.
- CVE-2020-1472 -- The "Netlogon Elevation of Privilege Vulnerability," a critical elevation of privilege vulnerability, received CVSS base score of 10.
- CVE-2018-13379 -- An improper limitation of a pathname to a restricted directory in Fortinet SSL VPN, rated a 9.8 CVSS score.
- CVE-2018-15961 -- The unrestricted file upload vulnerability affects Adobe ColdFusion. Successful exploitation could lead to arbitrary code execution. It received a base CVSS score of 9.8.
- CVE-2019-0604 -- A critical remote code execution vulnerability in Microsoft SharePoint that received a 9.8 CVSS score.
- CVE-2019-0708 -- The critical remote code execution vulnerability in remote desktop services received a 9.8 CVSS score.
- CVE-2019-11580 -- The Atlassian crowd remote code execution vulnerability rated a 9.8 CVSS score.
- CVE-2019-19781 -- A remote code execution issue discovered in Citrix Application Delivery Controller (ADC) allows for directory traversal. It scored a 9.8 CVSS rating.
- CVE-2020-10189 -- Allows for remote code execution in Zoho ManageEngine Desktop Central and rated a CVSS score of 9.8.
- CVE-2014-1812 -- A local escalation of privilege vulnerability in Windows. It scored a 9.0 CVSS score.
- CVE-2019-3398 -- The confluence authenticated remote code execution vulnerability received a CVSS score of 8.8.
- CVE-2020-0688 -- A remote command execution vulnerability in Microsoft Exchange. It received a CVSS score of 8.8.
- CVE-2016-0167 -- The local privilege escalation vulnerability affects older versions of Microsoft Windows and received a CVSS score of 7.8.
- CVE-2017-11774 -- A remote code execution vulnerability in Microsoft Outlook, otherwise known as the "Microsoft Outlook Security Feature Bypass Vulnerability." It scored a 7.8 CVSS rating.
- CVE-2018-8581 -- The elevation of privilege vulnerability in Microsoft Exchange received a CVSS score of 7.4.
- CVE-2019-8394 -- Allows remote attackers to upload arbitrary files to ZoHo ManageEngine ServiceDesk Plus via login page customization. It received a CVSS score of 6.5.
In addition to the CVEs, FireEye released detection rules and signatures for publicly available resources including Yara, Snort, ClamAV and HXIOC in order to help organizations detect and block any usage of the red team tools. FireEye noted some of the rules will be effective with minimal tuning, while others will require changes to match specific user environments.
While the compromised testing tools appear to be the major impact of the attack, Mandia noted that the attacker "primarily sought information related to certain government customers." He also said the highly-skilled threat actors specifically targeted FireEye, but that it appears no customer data was stolen.
"While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly," Mandia wrote.
Concluding the post, Mandia said, "We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. We will never be deterred from doing what is right."
Security news writer Arielle Waldman contributed to this report.