Major news shocked the cyber security world yesterday (Tuesday, December 8) when FireEye, the parent company of Mandiant, announced they had been breached and their Red Team tools were stolen.
Everyone can be breached, and we mean everyone. FireEye’s Mandiant division is the company everyone runs to when they experience a major breach!
FireEye has handled the breach better than any other company in recent memory (must be all that practice). Kevin Mandia (Board Director and CEO) published a blog post about the incident, which details what they know so far. Mandia makes clear the company’s intentions to be transparent and demonstrate how to properly handle a major cyber security incident from a public trust perspective. Kudos to them!
So, what do we know about the breach?
- The tactics, techniques, and procedures (TTPs) used by the attacker are almost definitely a well-funded nation-state actor. The TTPs used are some of the most advanced that FireEye (arguably the most well-respected incident response firm in the world) has ever seen. Mandia says, “Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities.”
- FireEye is working with three-letter agencies including the FBI and other “key partners, including Microsoft” to determine more about the attack. We don’t want to jump to conclusions, but the mention of the new and advanced TTPs and Microsoft lead me to believe we may see a big patch and vulnerability announcement in the near future.
- The attacker obtained copies of the FireEye Red Team’s toolset. This toolset does not contain exploits for any undisclosed vulnerabilities. FireEye immediately released rulesets for detecting their toolset on their GitHub repository. From our review of the detection rules, it looks like FireEye was looking for a handful of popular, critical vulnerabilities, and then using a customized version of popular pen-testing tools for command and control once inside an organization.
- FireEye, nor other investigators, have found evidence of the toolset being utilized in the wild. As we know it is only a matter of time before they are used or released to the public. Most remember that ETERNALBLUE was an NSA tool that was stolen, publicly released, and subsequently became arguably the biggest vulnerability in history (we still find it during pen tests).
- FireEye has committed to keeping the public aware of any progress the investigation makes and will continue to provide mitigations to their toolset.
Assura’s Take and Response
Assura’s Security Operations Center monitors for breaches and security announcements in real-time.
- When FireEye’s breach was announced yesterday (Tuesday, December 8), a detection rule set was put in place within our Security Information and Event Management (SIEM) platform for all security monitoring customers.
- As of 9:23 PM Eastern on December 8th, Assura’s SOC was able to detect and alarm on the use of FireEye’s breached Red Team toolset using the detection rule set.
- If you are a Managed SIEM client, we are actively monitoring for the use of the Red Team toolset and will continue to refine the detection rules as FireEye provides more information.
If you have not patched against the following CVEs, please do so ASAP. The release of the Red Team toolset may make these vulnerabilities trivial to exploit and subsequently establish command and control in your environment:
- CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs – CVSS 10.0
- CVE-2020-1472 – Microsoft Active Directory escalation of privileges – CVSS 10.0
- CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN – CVSS 9.8
- CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) – CVSS 9.8
- CVE-2019-0604 – RCE for Microsoft Sharepoint – CVSS 9.8
- CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS) – CVSS 9.8
- CVE-2019-11580 – Atlassian Crowd Remote Code Execution – CVSS 9.8
- CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway – CVSS 9.8
- CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central – CVSS 9.8
- CVE-2014-1812 – Windows Local Privilege Escalation – CVSS 9.0
- CVE-2019-3398 – Confluence Authenticated Remote Code Execution – CVSS 8.8
- CVE-2020-0688 – Remote Command Execution in Microsoft Exchange – CVSS 8.8
- CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows – CVSS 7.8
- CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) – CVSS 7.8
- CVE-2018-8581 – Microsoft Exchange Server escalation of privileges – CVSS 7.4
- CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus – CVSS 6.5
Below are links to more resources regarding the incident:
- US-CERT Alert – https://us-cert.cisa.gov/ncas/current-activity/2020/12/08/theft-fireeye-red-team-tools
- Kevin Mandia’s Blog Post – https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
- Information about the Red Team toolset – https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html
- FireEye Countermeasures GitHub repository – https://github.com/fireeye/red_team_tool_countermeasures
If you’re an Assura client, please do not hesitate to reach out to your Virtual ISO or Assura SOC point-of-contact if you have questions about the incident or our response. Otherwise, please contact us at email@example.com.