After reviewing all the released details regarding the FireEye security breach, RedLegg recommends all customers with FireEye technology to implement their countermeasures signature package. You can find the countermeasures package below. Additionally, RedLegg recommends that customers verify that all systems are up to date with currently available security patches, specifically for the vulnerabilities listed below.
FireEye's information regarding this incident indicates that a "red team tool kit" was stolen by the attackers. This toolkit includes open source tools and proprietary scripts to assist in red team and penetration testing engagements. These tools and scripts were not exploiting any zero-day vulnerabilities. Many of the vulnerabilities already have publicly available exploits, and all the vulnerabilities have available patches. Here is a list of the vulnerabilities exploited by the stolen tool kit and the countermeasures package provided by FireEye:
https://github.com/fireeye/red_team_tool_countermeasures
- CVE-2014-1812 – Windows Local Privilege Escalation
- CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS)
- CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing)
- CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)
- CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway
- CVE-2019-3398 – Confluence Authenticated Remote Code Execution
- CVE-2019-11580 - Atlassian Crowd Remote Code Execution
- CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN
- CVE-2020-0688 – Remote Command Execution in Microsoft Exchange
- CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs
- CVE-2019-0604 – RCE for Microsoft Sharepoint
- CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central
- CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus
- CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows
- CVE-2020-1472 – Microsoft Active Directory escalation of privileges
- CVE-2018-8581 - Microsoft Exchange Server escalation of privileges
If you don't have recent vulnerability scan data available, RedLegg recommends scanning your network to identify any hosts that may be unpatched for these vulnerabilities. Hosts identified as vulnerable should be patched immediately or subject to additional monitoring or network isolation until patching is possible.
FireEye has also released Snort IDS signatures and a YARA rule package for deployment to compatible infrastructure. You can find the Snort and YARA rules here:
https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-snort.rules
https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-yara.yar
Get updates like these asap in your inbox from our threat research team by joining the Security Bulletin email list here.