FireEye red team tools stolen in cyber attack

Victoria D. Doty

FireEye is urging corporations to acquire safety measures after suspected country-condition hackers breached the safety seller and stole its purple staff tools.

The enormous cyber attack, which FireEye disclosed Tuesday, was perpetrated by “a country with top rated-tier offensive capabilities,” CEO Kevin Mandia wrote in a website write-up. As part of the cyber attack, FireEye’s purple staff tools were stolen, which, as a second write-up unveiled Tuesday night discussed, are tools made use of in purple teaming workouts to demonstrate the “impacts of productive attacks” for shoppers.

“The stolen tools range from easy scripts made use of for automating reconnaissance to total frameworks that are equivalent to publicly available systems these as CobaltStrike and Metasploit. Many of the Pink Staff tools have now been unveiled to the community and are now distributed in our open up-supply digital equipment, CommandoVM,” the latter website write-up browse. “Some of the tools are publicly available tools modified to evade essential safety detection mechanisms. Other tools and frameworks were formulated in-household for our Pink Staff.”

FireEye reported none of the tools comprise zero-day exploits, utilizing instead “nicely-identified and documented strategies that are made use of by other purple teams all-around the world.” Even though they will not expect the risk actors’ capabilities to enormously advance as a end result of the attack, they are “carrying out everything it can to stop these a situation.” One particular way the firm is carrying out this is by offering a list of more than 300 countermeasures for clients, which were posted to GitHub. FireEye also executed different countermeasures into its individual safety items.

The GitHub countermeasure write-up lists sixteen prevalent vulnerabilities and exposures (CVEs) that FireEye endorses be tackled very first to restrict the usefulness of the Pink Staff tools. The list contains the subsequent:

  • CVE-2019-11510 — A important arbitrary file disclosure vulnerability involving the Pulse Link Safe VPN. It obtained a base Popular Vulnerability Scoring System (CVSS) rating of ten.
  • CVE-2020-1472 — The “Netlogon Elevation of Privilege Vulnerability,” a important elevation of privilege vulnerability, obtained CVSS base rating of ten.
  • CVE-2018-13379 — An incorrect limitation of a pathname to a restricted listing in Fortinet SSL VPN, rated a 9.eight CVSS rating.
  • CVE-2018-15961 — The unrestricted file add vulnerability influences Adobe ColdFusion. Productive exploitation could guide to arbitrary code execution. It obtained a base CVSS rating of 9.eight.
  • CVE-2019-0604 — A important remote code execution vulnerability in Microsoft SharePoint that obtained a 9.eight CVSS rating.
  • CVE-2019-0708 — The important remote code execution vulnerability in remote desktop providers obtained a 9.eight CVSS rating.
  • CVE-2019-11580 — The Atlassian group remote code execution vulnerability rated a 9.eight CVSS rating.
  • CVE-2019-19781 — A remote code execution concern identified in Citrix Application Shipping and delivery Controller (ADC) permits for listing traversal. It scored a 9.eight CVSS rating.
  • CVE-2020-10189 — Lets for remote code execution in Zoho ManageEngine Desktop Central and rated a CVSS rating of 9.eight.
  • CVE2014-1812 — A local escalation of privilege vulnerability in Windows. It scored a 9. CVSS rating.
  • CVE2019-3398 — The confluence authenticated remote code execution vulnerability obtained a CVSS rating of eight.eight.
  • CVE2020-0688 — A remote command execution vulnerability in Microsoft Exchange. It obtained a CVSS rating of eight.eight.
  • CVE2016-0167 — The local privilege escalation vulnerability influences more mature versions of Microsoft Windows and obtained a CVSS rating of 7.eight.
  • CVE2017-11774 — A remote code execution vulnerability in Microsoft Outlook, or else identified as the “Microsoft Outlook Safety Feature Bypass Vulnerability.” It scored a 7.eight CVSS rating.
  • CVE2018-8581 — The elevation of privilege vulnerability in Microsoft Exchange obtained a CVSS rating of 7.4.
  • CVE2019-8394 — Lets remote attackers to add arbitrary information to ZoHo ManageEngine ServiceDesk Additionally by way of login web page customization. It obtained a CVSS rating of six.five.

In addition to the CVEs, FireEye unveiled detection principles and signatures for publicly available sources such as Yara, Snort, ClamAV and HXIOC in buy to aid corporations detect and block any use of the purple staff tools. FireEye mentioned some of the principles will be productive with nominal tuning, whilst some others will involve modifications to match unique user environments.

Even though the compromised tests tools seem to be the important influence of the attack, Mandia mentioned that the attacker “largely sought facts connected to particular governing administration clients.” He also reported the very-proficient risk actors particularly focused FireEye, but that it appears no customer knowledge was stolen.

“Even though the attacker was able to entry some of our inside systems, at this point in our investigation, we have viewed no evidence that the attacker exfiltrated knowledge from our most important systems that retail outlet customer facts from our incident response or consulting engagements, or the metadata collected by our items in our dynamic risk intelligence systems. If we find out that customer facts was taken, we will get hold of them directly,” Mandia wrote.

Concluding the write-up, Mandia reported, “We have acquired and proceed to master extra about our adversaries as a end result of this attack, and the better safety community will arise from this incident better safeguarded. We will under no circumstances be deterred from carrying out what is suitable.”

Safety news author Arielle Waldman contributed to this report.

Next Post

Airbus Plans Hydrogen-Powered Carbon-Neutral Planes by 2035. Can They Work?

Think about that it is December 2035 – about fifteen yrs from now – and you are taking an global flight in purchase to be at residence with family for the holiday seasons. Airports and planes have not improved a great deal because your childhood: Your flight is late as typical. But the Airbus jet […]

Subscribe US Now