On the 8th December, Cybersecurity firm FireEye released a statement announcing that a sophisticated state-sponsored attack against them had resulted in the theft of their “red team” tools, a toolset used by their penetration test teams to exploit vulnerabilities in corporations’ estates.
The good news: Microsoft’s Jeff Jones has praised FireEye for their disclosure and collaboration (TechCrunch, 2020), with the cybersecurity firm releasing helpful information on the hacking tools stolen, along with a repository of useful countermeasures to help combat the use of their tools in the wild (FireEye Red Team Tool Countermeasures, 2020).
FireEye have stated that none of the exploits stolen were “zero-day” and provided a list of CVEs for all targeted vulnerabilities. For each of these documented vulnerabilities (a mixture of remote code executions, privilege escalations, and methods to circumvent security controls), we have broken down the various mitigations and remediations to stop FireEye’s tools being used on your estate.
This advisory contains several actionable steps our team suggests and further recommendations for security mechanisms to help manage/prevent these attacks.
- Microsoft Exchange, SharePoint, Remote Desktop, and Active Directory servers (numerous versions spanning from Windows 10/Server 2019 all the way back to Vista/Server 2003)
- Microsoft Outlook
- ZoHo ManageEngine Desktop Central and ServiceDesk Plus (numerous versions)
- Both Pulse Secure SSL VPNs and Fortinet FortiGate SSL VPNs
- Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway
- Atlassian Confluence and Crowd/Crowd Data Center Servers
- Adobe ColdFusion
- Microsoft has folded patches for these CVEs into their standard update lifecycle, so carrying out regular updates to all Windows Server products will ensure you are protected.
- Microsoft have also supplied some manual mitigations (such as registry changes and enabling Network Level Authentication) that can be found through the links at the bottom of the page.
- Ensure that endpoints have the latest version/update of Microsoft Outlook installed.
- ZoHo ManageEngine Desktop Central should be updated to version 10.0.479 or later.
- ZoHo ManageEngine ServiceDesk Plus should be updated to build 10012 or later.
- Atlassian Confluence and Crowd/Crowd Data Center need to be updated to the latest versions.
- Adobe ColdFusion 2018, 2016 and 11 need to be updated to the latest available versions.
- FortiOS should be upgraded to versions 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
- Pulse Policy Secure and Pulse Connect Secure should be upgraded to the latest versions if possible, or at a minimum, the corresponding builds for your current versions that contain the fixes listed here.
Security Mechanisms to Help Manage/Prevent These Attacks
1.User Behavioural Analytics / Credential Access Management
Several of the FireEye tools utilize Windows credential exploits and manipulate vulnerable mechanisms to either steal credentials or impersonate other users. A privilege access management solution can help control access to and usage of these credentials within an estate, crippling the usefulness of such exploits.
Additionally, user behavioural monitoring can help detect strange usage of credentials so you can respond quickly to these attacks before a threat actor can use the credentials to inflict damage.
2. Endpoint Detect Protect Respond (EDPR)
Many of the tools targeting Microsoft vulnerabilities involve exploiting mechanisms on the vulnerable servers themselves, using tools and on-endpoint techniques. Endpoint protection tools such as SentinelOne can help detect suspicious indicators and protect from these attacks, even when the vulnerability is new and undocumented.
3. Network Intrusion Detection Systems (NIDS)
The tools designed to attack servers often utilize specially crafted network connections to exploit vulnerable services within estates.
Network Intrusion Detection Systems can detect indicators of malicious network traffic, potentially even using “Yara rules” provided by FireEye themselves specially for the identification and detection of the network traffic generated by these tools.