Security for everyone

FireEye Hacked

SecurityForEveryone

Security for Everyone

11/Dec/20

FireEye, one of the world's largest cybersecurity companies, was attacked on December 8, 2020. The attack stated that the company's tools used in Red Team penetration tests and vulnerability assessments were stolen. He also announced that as a result of the attack, data from customers, including governments, was accessed. It was stated that the attack was investigated with other vital partners, including the FBI and Microsoft.

While who was behind this incident has not been confirmed yet, FBI deputy director of Cyber Security, Matt Gorham, "The FBI is investigating the incident, and initial findings show a state-sponsored and highly complex actor." explained in the form.

Kevin Mandia, CEO of FireEye, founded in 2014, said, "This attack was the most extensive attack on the company to date." FireEye developed these tools used in the captured Red Team tests to test the security of its customers. Many of these tools exploit several known Remote Code Execution (RCE) vulnerabilities across different products commonly used in corporate networks, such as legacy VPN products and various Microsoft applications.

Regardless of whether an attacker will misuse these tools in the future, it is essential to ensure that any use of these tools is detected and to minimize potential damage.

Am I affected by this incident?

A Github repository published by FireEye contains a list of CVE codes for affected systems applications. Also, FireEye has published over 300 countermeasures in this GitHub repository to prevent its customers from being affected by the stolen tools in this attack.

Below is a priority list of CVEs that should be addressed to minimize the effectiveness of the damage Red Team tools can do. This order is recommended, and users can set their priorities according to their environment.

Index

CVE

Description

CVSS

CVE Scan

1

CVE-2019-11510

Pre-auth arbitrary file reading from Pulse Secure SSL VPNs

10.0

CVE-2019-11510

2

CVE-2020-1472

Microsoft Active Directory escalation of privileges

10.0

 

3

CVE-2018-13379

Pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN

9.8

 

4

CVE-2018-15961

RCE via Adobe ColdFusion (arbitrary file upload that can be

		<p>used to upload a JSP web shell)</p>
		</td>
		<td style="vertical-align:top">
		<p>9.8</p>
		</td>
		<td style="vertical-align:top">&nbsp;</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>5</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-0604">CVE-2019-0604</a></p>
		</td>
		<td style="vertical-align:top">
		<p>RCE for Microsoft Sharepoint</p>
		</td>
		<td style="vertical-align:top">
		<p>9.8</p>
		</td>
		<td style="vertical-align:top">&nbsp;</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>6</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-0708">CVE-2019-0708</a></p>
		</td>
		<td style="vertical-align:top">
		<p>RCE of Windows Remote Desktop Services (RDS)</p>
		</td>
		<td style="vertical-align:top">
		<p>9.8</p>
		</td>
		<td style="vertical-align:top">&nbsp;</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>7</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11580">CVE-2019-11580</a></p>
		</td>
		<td style="vertical-align:top">
		<p>Atlassian Crowd Remote Code Execution</p>
		</td>
		<td style="vertical-align:top">
		<p>9.8</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://securityforeveryone.com/tools/atlassian-crowd-data-center-cve-2019-11580">CVE-2019-11580</a></p>
		</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>8</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19781">CVE-2019-19781</a></p>
		</td>
		<td style="vertical-align:top">
		<p>RCE of Citrix Application Delivery Controller and Citrix Gateway</p>
		</td>
		<td style="vertical-align:top">
		<p>9.8</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://securityforeveryone.com/tools/citrix-application-delivery-sd-wan-wanop-cve-2019-19781">CVE-2019-19781</a></p>
		</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>9</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-10189">CVE-2020-10189</a></p>
		</td>
		<td style="vertical-align:top">
		<p>RCE for ZoHo ManageEngine Desktop Central</p>
		</td>
		<td style="vertical-align:top">
		<p>9.8</p>
		</td>
		<td style="vertical-align:top">&nbsp;</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>10</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2014-1812">CVE-2014-1812</a></p>
		</td>
		<td style="vertical-align:top">
		<p>Windows Local Privilege Escalation</p>
		</td>
		<td style="vertical-align:top">
		<p>9.0</p>
		</td>
		<td style="vertical-align:top">&nbsp;</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>11</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-3398">CVE-2019-3398</a></p>
		</td>
		<td style="vertical-align:top">
		<p>Confluence Authenticated Remote Code Execution</p>
		</td>
		<td style="vertical-align:top">
		<p>8.8</p>
		</td>
		<td style="vertical-align:top">&nbsp;</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>12</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-0688">CVE-2020-0688</a></p>
		</td>
		<td style="vertical-align:top">
		<p>Remote Command Execution in Microsoft Exchange</p>
		</td>
		<td style="vertical-align:top">
		<p>8.8</p>
		</td>
		<td style="vertical-align:top">&nbsp;</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>13</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2016-0167">CVE-2016-0167</a></p>
		</td>
		<td style="vertical-align:top">
		<p>local privilege escalation on older versions of Microsoft Windows</p>
		</td>
		<td style="vertical-align:top">
		<p>7.8</p>
		</td>
		<td style="vertical-align:top">&nbsp;</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>14</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-11774">CVE-2017-11774</a></p>
		</td>
		<td style="vertical-align:top">
		<p>RCE in Microsoft Outlook via crafted document</p>

		<p>execution (phishing)</p>
		</td>
		<td style="vertical-align:top">
		<p>7.8</p>
		</td>
		<td style="vertical-align:top">&nbsp;</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>15</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-8581">CVE-2018-8581</a></p>
		</td>
		<td style="vertical-align:top">
		<p>Microsoft Exchange Server escalation of privileges</p>
		</td>
		<td style="vertical-align:top">
		<p>7.4</p>
		</td>
		<td style="vertical-align:top">&nbsp;</td>
	</tr>
	<tr>
		<td style="vertical-align:top">
		<p>16</p>
		</td>
		<td style="vertical-align:top">
		<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-8394">CVE-2019-8394</a></p>
		</td>
		<td style="vertical-align:top">
		<p>Arbitrary pre-auth file upload to ZoHo ManageEngine</p>

		<p>ServiceDesk Plus</p>
		</td>
		<td style="vertical-align:top">
		<p>6.5</p>
		</td>
		<td style="vertical-align:top">&nbsp;</td>
	</tr>
</tbody>

 

What are the measures to be taken?

  • With our vulnerability control tools published free of charge by Security For Everyone, you can control these vulnerabilities.
  • FireEye "Red Team Tool Countermeasures" Rules in different languages (Snort, Yara, ClamAV, HXIOC) and IOCs in the Github repo can help detect and identify these newly discovered threats. With these rules' help, it can be determined whether these tools are used in your system.

  • We strongly recommend that you have the latest security updates for products affected by these CVEs.
  • It is equally important to have updated security software.

  • Remote Desktop service access should always be restricted or turned off if not in use.
  • As always, suspicious emails with attachments or links from unknown sources should not be opened.

  • Disable macros in Microsoft Office applications. Do not enable them unless necessary.

  • Enable multi-factor authentication (MFA) for both business and personal email accounts to prevent most credential gathering attacks.

As a result, FireEye was attacked, and its tools used in Red Team operations were leaked. Check your systems to ensure your security has not been compromised and take the necessary precautions mentioned in the article.

 

 

cyber security services for everyone one. Free security tools, continuous vulnerability scanning and many more.
Try it yourself,
control security posture