Affordable, manageable, understandable solution for cyber security. Get early access for Product X !
FireEye Hacked

FireEye Hacked

FireEye, one of the world's largest cybersecurity companies, was attacked on December 8, 2020. The attack stated that the company's tools used in Red Team penetration tests and vulnerability assessments were stolen. He also announced that as a result of the attack, data from customers, including governments, was accessed. It was stated that the attack was investigated with other vital partners, including the FBI and Microsoft.

While who was behind this incident has not been confirmed yet, FBI deputy director of Cyber Security, Matt Gorham, "The FBI is investigating the incident, and initial findings show a state-sponsored and highly complex actor." explained in the form.

Kevin Mandia, CEO of FireEye, founded in 2014, said, "This attack was the most extensive attack on the company to date." FireEye developed these tools used in the captured Red Team tests to test the security of its customers. Many of these tools exploit several known Remote Code Execution (RCE) vulnerabilities across different products commonly used in corporate networks, such as legacy VPN products and various Microsoft applications.

Regardless of whether an attacker will misuse these tools in the future, it is essential to ensure that any use of these tools is detected and to minimize potential damage.

Am I affected by this incident?

A Github repository published by FireEye contains a list of CVE codes for affected systems applications. Also, FireEye has published over 300 countermeasures in this GitHub repository to prevent its customers from being affected by the stolen tools in this attack.

Below is a priority list of CVEs that should be addressed to minimize the effectiveness of the damage Red Team tools can do. This order is recommended, and users can set their priorities according to their environment.

Index

CVE

Description

CVSS

CVE Scan

1

CVE-2019-11510

Pre-auth arbitrary file reading from Pulse Secure SSL VPNs

10.0

CVE-2019-11510

2

CVE-2020-1472

Microsoft Active Directory escalation of privileges

10.0

 

3

CVE-2018-13379

Pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN

9.8

 

4

CVE-2018-15961

RCE via Adobe ColdFusion (arbitrary file upload that can be

used to upload a JSP web shell)

9.8

 

5

CVE-2019-0604

RCE for Microsoft Sharepoint

9.8

 

6

CVE-2019-0708

RCE of Windows Remote Desktop Services (RDS)

9.8

 

7

CVE-2019-11580

Atlassian Crowd Remote Code Execution

9.8

CVE-2019-11580

8

CVE-2019-19781

RCE of Citrix Application Delivery Controller and Citrix Gateway

9.8

CVE-2019-19781

9

CVE-2020-10189

RCE for ZoHo ManageEngine Desktop Central

9.8

 

10

CVE-2014-1812

Windows Local Privilege Escalation

9.0

 

11

CVE-2019-3398

Confluence Authenticated Remote Code Execution

8.8

 

12

CVE-2020-0688

Remote Command Execution in Microsoft Exchange

8.8

 

13

CVE-2016-0167

local privilege escalation on older versions of Microsoft Windows

7.8

 

14

CVE-2017-11774

RCE in Microsoft Outlook via crafted document

execution (phishing)

7.8

 

15

CVE-2018-8581

Microsoft Exchange Server escalation of privileges

7.4

 

16

CVE-2019-8394

Arbitrary pre-auth file upload to ZoHo ManageEngine

ServiceDesk Plus

6.5

 

 

What are the measures to be taken?

  • With our vulnerability control tools published free of charge by Security For Everyone, you can control these vulnerabilities.
  • FireEye "Red Team Tool Countermeasures" Rules in different languages (Snort, Yara, ClamAV, HXIOC) and IOCs in the Github repo can help detect and identify these newly discovered threats. With these rules' help, it can be determined whether these tools are used in your system.

  • We strongly recommend that you have the latest security updates for products affected by these CVEs.
  • It is equally important to have updated security software.

  • Remote Desktop service access should always be restricted or turned off if not in use.
  • As always, suspicious emails with attachments or links from unknown sources should not be opened.

  • Disable macros in Microsoft Office applications. Do not enable them unless necessary.

  • Enable multi-factor authentication (MFA) for both business and personal email accounts to prevent most credential gathering attacks.

As a result, FireEye was attacked, and its tools used in Red Team operations were leaked. Check your systems to ensure your security has not been compromised and take the necessary precautions mentioned in the article.

 

 

Share: