What happened?
On the 8th of December 2020, one of the largest cybersecurity firm FireEye (FEYE) has been hacked.
Currently, based on the sophistication and the expertise needed to launch such an attack, it is highly suspected that this is an attack backed by a nation-state.
FireEye said it's working with the FBI to determine how it was hacked, as well as with partners like Microsoft.
Although unconfirmed who is behind this, Matt Gorham, assistant director of the F.B.I. Cyber Division, said, βThe F.B.I. is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state.β
Microsoft confirmed that it's assisting with the investigation and have also noted that the hackers used a rare combination of techniques to steal FireEye's tools.
What the big deal?
In this breach. Tools that were once used by FireEye, for security and vulnerability assessment has been accessed without authorization.
Am I affected?
A Github repository released by FireEye, contains a list of CVEs for the affected systems and applications.
The following is a prioritized list of CVEs that should be addressed to limit the effectiveness of the Red Team tools. This is a recommended order and users may make their own priorities based on their unique environments.
Index | CVE | Description | CVSS |
---|---|---|---|
1 | CVE-2019-11510 | Pre-auth arbitrary file reading from Pulse Secure SSL VPNs | 10.0 |
2 | CVE-2020-1472 | Microsoft Active Directory escalation of privileges | 10.0 |
3 | CVE-2018-13379 | Pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN | 9.8 |
4 | CVE-2018-15961 | RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) | 9.8 |
5 | CVE-2019-0604 | RCE for Microsoft Sharepoint | 9.8 |
6 | CVE-2019-0708 | RCE of Windows Remote Desktop Services (RDS) | 9.8 |
7 | CVE-2019-11580 | Atlassian Crowd Remote Code Execution | 9.8 |
8 | CVE-2019-19781 | RCE of Citrix Application Delivery Controller and Citrix Gateway | 9.8 |
9 | CVE-2020-10189 | RCE for ZoHo ManageEngine Desktop Central | 9.8 |
10 | CVE-2014-1812 | Windows Local Privilege Escalation | 9.0 |
11 | CVE-2019-3398 | Confluence Authenticated Remote Code Execution | 8.8 |
12 | CVE-2020-0688 | Remote Command Execution in Microsoft Exchange | 8.8 |
13 | CVE-2016-0167 | local privilege escalation on older versions of Microsoft Windows | 7.8 |
14 | CVE-2017-11774 | RCE in Microsoft Outlook via crafted document execution (phishing) | 7.8 |
15 | CVE-2018-8581 | Microsoft Exchange Server escalation of privileges | 7.4 |
16 | CVE-2019-8394 | Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus | 6.5 |
What are the countermeasures?
Included in the FireEye "Red Team Tool Countermeasures" Github repository are rules that can help detect and identify these newfound threats.
FireEye Red Team Tool Countermeasures
These rules are provided freely to the community without warranty.
In this GitHub repository you will find rules in multiple languages:
- Snort
- Yara
- ClamAV
- HXIOC
The rules are categorized and labeled into two release states:
- Production: rules that are expected to perform with minimal tuning.
- Supplemental: rules that are known to require further environment-specific tuning and tweaking to perform, and are often used for hunting workflows.
Please check back to this GitHub for updates to these rules.
FireEye customers can refer to the FireEye Community (community.fireeye.com) for information on how FireEye products detect these threats.
The entire risk as to quality and performance of these rules is with the users.
Conclusion
FireEye has been hacked, tools are leaked. Check your systems to ensure that you are not compromised.
If you have any resources that can help, do post them in the comment section.
As the saying goes "it's not a matter if, its a matter of when." Stay Safe and keep up with the news for the latest update.
References
CNN Business
NY Times
Wall Street Journal
Washington Post
Tech Crunch
Thanks for reading!
Signing off
~Jason K.
Top comments (0)