DEV Community

Cover image for [BREAKING] FireEye hacked, red team tools leaked. Resources to protect yourself.
Jason K.
Jason K.

Posted on • Updated on

[BREAKING] FireEye hacked, red team tools leaked. Resources to protect yourself.

What happened?
On the 8th of December 2020, one of the largest cybersecurity firm FireEye (FEYE) has been hacked.

Currently, based on the sophistication and the expertise needed to launch such an attack, it is highly suspected that this is an attack backed by a nation-state.

FireEye said it's working with the FBI to determine how it was hacked, as well as with partners like Microsoft.

Although unconfirmed who is behind this, Matt Gorham, assistant director of the F.B.I. Cyber Division, said, “The F.B.I. is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state.”

Microsoft confirmed that it's assisting with the investigation and have also noted that the hackers used a rare combination of techniques to steal FireEye's tools.

What the big deal?
In this breach. Tools that were once used by FireEye, for security and vulnerability assessment has been accessed without authorization.

Am I affected?
A Github repository released by FireEye, contains a list of CVEs for the affected systems and applications.

The following is a prioritized list of CVEs that should be addressed to limit the effectiveness of the Red Team tools. This is a recommended order and users may make their own priorities based on their unique environments.

Index CVE Description CVSS
1 CVE-2019-11510 Pre-auth arbitrary file reading from Pulse Secure SSL VPNs 10.0
2 CVE-2020-1472 Microsoft Active Directory escalation of privileges 10.0
3 CVE-2018-13379 Pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN 9.8
4 CVE-2018-15961 RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) 9.8
5 CVE-2019-0604 RCE for Microsoft Sharepoint 9.8
6 CVE-2019-0708 RCE of Windows Remote Desktop Services (RDS) 9.8
7 CVE-2019-11580 Atlassian Crowd Remote Code Execution 9.8
8 CVE-2019-19781 RCE of Citrix Application Delivery Controller and Citrix Gateway 9.8
9 CVE-2020-10189 RCE for ZoHo ManageEngine Desktop Central 9.8
10 CVE-2014-1812 Windows Local Privilege Escalation 9.0
11 CVE-2019-3398 Confluence Authenticated Remote Code Execution 8.8
12 CVE-2020-0688 Remote Command Execution in Microsoft Exchange 8.8
13 CVE-2016-0167 local privilege escalation on older versions of Microsoft Windows 7.8
14 CVE-2017-11774 RCE in Microsoft Outlook via crafted document execution (phishing) 7.8
15 CVE-2018-8581 Microsoft Exchange Server escalation of privileges 7.4
16 CVE-2019-8394 Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus 6.5

What are the countermeasures?

Included in the FireEye "Red Team Tool Countermeasures" Github repository are rules that can help detect and identify these newfound threats.

FireEye Red Team Tool Countermeasures

These rules are provided freely to the community without warranty.

In this GitHub repository you will find rules in multiple languages:

  • Snort
  • Yara
  • ClamAV

The rules are categorized and labeled into two release states:

  • Production: rules that are expected to perform with minimal tuning.
  • Supplemental: rules that are known to require further environment-specific tuning and tweaking to perform, and are often used for hunting workflows.

Please check back to this GitHub for updates to these rules.

FireEye customers can refer to the FireEye Community ( for information on how FireEye products detect these threats.

The entire risk as to quality and performance of these rules is with the users.


FireEye has been hacked, tools are leaked. Check your systems to ensure that you are not compromised.

If you have any resources that can help, do post them in the comment section.

As the saying goes "it's not a matter if, its a matter of when." Stay Safe and keep up with the news for the latest update.

CNN Business
NY Times
Wall Street Journal
Washington Post
Tech Crunch

Thanks for reading!

Signing off

~Jason K.

Discussion (0)