FireEye breach sees release of red-team tools

The breach affecting cyber security giant FireEye reaffirms that sophisticated adversaries can compromise even the most secure companies. Stolen material included bespoke penetration-testing tools that exploit specific vulnerabilities frequently targeted by threat actors, which we unpack in this blog.

The cybersecurity provider FireEye has suffered a breach that media reporting has attributed to Russian state espionage group APT29 (AKA Cozy Bear). The group, which tends to conduct espionage in support of Russia’s strategic political objectives, reportedly stole tooling related to FireEye’s penetration testing capabilities. Earning widespread praise for its quick disclosure and transparent response, FireEye has published a list of vulnerabilities that these tools exploit, in addition to a list of countermeasures developed specifically so that the firm’s clients would be able to detect if such tools were used against them. Several of these vulnerabilities are the focus of blogs in our Twelve Vulns of Christmas blog series.

Among these vulnerabilities routinely leveraged by FireEye’s red teams are many severe vulnerabilities with high CVSS 3.0 and Orpheus Vulnerability Scores (OVS), which FireEye has listed in order of prioritization in terms of patch management for its clients:

1. (OVS: 43) CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs – CVSS 10.0
2. (OVS: 66) CVE-2020-1472 – Microsoft Active Directory escalation of privileges – CVSS 10.0
3. (OVS: 53) CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN – CVSS 9.8
4. (OVS: 61)  CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) – CVSS 9.8
5. (OVS: 68) CVE-2019-0604 – RCE for Microsoft Sharepoint – CVSS 9.8
6. (OVS: 100) CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS) – CVSS 9.8[1]
7. (OVS: 23) CVE-2019-11580 – Atlassian Crowd Remote Code Execution – CVSS 9.8
8. (OVS: 100) CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway – CVSS 9.8
9. (OVS: 100) CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central – CVSS 9.8
10. (OVS: 24) CVE-2014-1812 – Windows Local Privilege Escalation – CVSS 9.0
11. (OVS: 41) CVE-2019-3398 – Confluence Authenticated Remote Code Execution – CVSS 8.8
12. (OVS: 100) CVE-2020-0688 – Remote Command Execution in Microsoft Exchange – CVSS 8.8
13. (OVS: 29) CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows – CVSS 7.8
14. (OVS: 39) CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) – CVSS 7.8
15. (OVS: 25) CVE-2018-8581 – Microsoft Exchange Server escalation of privileges – CVSS 7.4
16. (OVS: 27) CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus – CVSS 6.5

We recommend that companies use both these OVS scores as well as the associated CVSS scores in order to prioritize the patching of these CVEs, as they allow threat actors to exploit vulnerable instances of software in order to gain initial access, escalate privileges on compromised instances or move laterally with ease. We also recommend leveraging FireEye’s countermeasures, including Yara, Snort, ClamAV and HXIOC rules in order to detect the use of such tools on organisations’ perimeters.

Cybersecurity firms have been the targets of nation-state actors in the past, as demonstrated by the 2017 Kaspersky breach in addition to the frequent leaks of anti-virus source code claimed to have been stolen from Symantec, McAfee and TrendMicro. Numerous reasons may motivate such sophisticated actors to target cybersecurity providers, including accessing their sophisticated tooling developed for penetration testing or accessing TLP:RED (confidential) intelligence around cyber threats. Nation-state actors may also look to compromise these companies in order to collect internal data on FireEye’s clients, which often include government agencies, Fortune 500 companies and many others, such as Sony and Equifax. Collection of such data may enable threat actors to execute further attacks against these clients, re-iterating the risk of third-party compromise. While FireEye have confirmed the group sought information relating to government clients, it does not appear that any client data was compromised.

In addition, breaches looking to steal offensive security tools (OSTs) are not novel. A group named Shadow Brokers reportedly breached the NSA in 2016 and proceded to leak stockpiles of such tools and vulnerabilities online. Stealing such tools allows such actors to gain reputation, augment their own capabilities, and make significant profit through resale in addition to potentially embarrassing the targeted company or government organisation.

The attack also underscores the importance of using threat intelligence to define resources and prioritisation. While board members may question allocating increased resources to security teams when even security companies can be breached, the threat profile for a security company such as FireEye is different to the majority of organisations. As one of the largest security companies in the world, breaching them is a prize for any threat actor. The threat profile has also changed in recent weeks as it was expected that Russia may retaliate against the US government’s publication of some of their offensive cyber techniques. With the FireEye share price already down by 8%, it demonstrates the negative effect a successful attack can have on a business.