On the 8th December, Cybersecurity firm FireEye released a statement announcing that a sophisticated state-sponsored attack against them had resulted in the theft of their “red team” tools, a toolset used by their penetration test teams to exploit vulnerabilities in corporations’ estates.

The good news: Microsoft’s Jeff Jones has praised FireEye for their disclosure and collaboration (TechCrunch, 2020), with the cybersecurity firm releasing helpful information on the hacking tools stolen, along with a repository of useful countermeasures to help combat the use of their tools in the wild (FireEye Red Team Tool Countermeasures, 2020).

FireEye have stated that none of the exploits stolen were “zero-day” and provided a list of CVEs for all targeted vulnerabilities. For each of these documented vulnerabilities (a mixture of remote code executions, privilege escalations, and methods to circumvent security controls), we have broken down the various mitigations and remediations to stop FireEye’s tools being used on your estate.

This advisory contains several actionable steps our team suggests and further recommendations for security mechanisms to help manage/prevent these attacks.

Products Effected

  • Microsoft Exchange, SharePoint, Remote Desktop, and Active Directory servers (numerous versions spanning from Windows 10/Server 2019 all the way back to Vista/Server 2003)
  • Microsoft Outlook
  • ZoHo ManageEngine Desktop Central and ServiceDesk Plus (numerous versions)
  • Both Pulse Secure SSL VPNs and Fortinet FortiGate SSL VPNs
  • Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway
  • Atlassian Confluence and Crowd/Crowd Data Center Servers
  • Adobe ColdFusion

Mitigation Steps

  • Microsoft has folded patches for these CVEs into their standard update lifecycle, so carrying out regular updates to all Windows Server products will ensure you are protected.
  • Microsoft have also supplied some manual mitigations (such as registry changes and enabling Network Level Authentication) that can be found through the links at the bottom of the page.
  • Ensure that endpoints have the latest version/update of Microsoft Outlook installed.
  • ZoHo ManageEngine Desktop Central should be updated to version 10.0.479 or later.
  • ZoHo ManageEngine ServiceDesk Plus should be updated to build 10012 or later.
  • Atlassian Confluence and Crowd/Crowd Data Center need to be updated to the latest versions.
  • Adobe ColdFusion 2018, 2016 and 11 need to be updated to the latest available versions.
  • FortiOS should be upgraded to versions 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
  • Pulse Policy Secure and Pulse Connect Secure should be upgraded to the latest versions if possible, or at a minimum, the corresponding builds for your current versions that contain the fixes listed here.

Security Mechanisms to Help Manage/Prevent These Attacks

1.User Behavioural Analytics / Credential Access Management

Several of the FireEye tools utilize Windows credential exploits and manipulate vulnerable mechanisms to either steal credentials or impersonate other users. A privilege access management solution can help control access to and usage of these credentials within an estate, crippling the usefulness of such exploits.

Additionally, user behavioural monitoring can help detect strange usage of credentials so you can respond quickly to these attacks before a threat actor can use the credentials to inflict damage.

2. Endpoint Detect Protect Respond (EDPR)

Many of the tools targeting Microsoft vulnerabilities involve exploiting mechanisms on the vulnerable servers themselves, using tools and on-endpoint techniques. Endpoint protection tools such as SentinelOne can help detect suspicious indicators and protect from these attacks, even when the vulnerability is new and undocumented.

3. Network Intrusion Detection Systems (NIDS)

The tools designed to attack servers often utilize specially crafted network connections to exploit vulnerable services within estates.

Network Intrusion Detection Systems can detect indicators of malicious network traffic, potentially even using “Yara rules” provided by FireEye themselves specially for the identification and detection of the network traffic generated by these tools.

Relevant Articles

VulnerabilityEffect ProductsMitigation Documentations
CVE-2019-11510Numerous Pulse Secure Products (including connect secure and policy secure)https://nvd.nist.gov/vuln/detail/CVE-2019-11510
CVE-2018-13379Numerous Fortinet Systems (including versions of FortiOS)https://nvd.nist.gov/vuln/detail/CVE-2018-13379


CVE-2020-1472Microsoft Active Directory (numerous versions of windows server)https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472


CVE-2018-15961Adobe Cold Fusion (numerous versions)https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html


CVE-2019-0604Microsoft SharePoint (numerous versions of windows server)https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604


CVE-2019-0708Windows Remote Desktop Serviceshttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708


CVE-2019-11580Atlassian Crowd/Crowd Data Centerhttps://jira.atlassian.com/browse/CWD-5388


CVE-2019-19781Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gatewayhttps://support.citrix.com/article/CTX267027


CVE-2020-10189ZoHo ManageEngine Desktop Centralhttps://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html
CVE-2014-1812Numerous Versions of Windows including Vista, 7, 8, 8.1, Server 2008, Server 2012https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati


CVE-2019-3398Atlassian Confluence (numerous versions)https://jira.atlassian.com/browse/CONFSERVER-58102


CVE-2020-0688Microsoft Exchange (numerous versions)https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688


CVE-2016-0167Numerous Older Versions of Windows (Windows 10 1511 and Older + Windows 8.1 or earlier)https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-039


CVE-2017-11774Microsoft Outlook (numerous older versions)https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11774
CVE-2018-8581Microsoft Exchange Server (numerous versions)https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8581
CVE-2019-8394ZoHo ManageEngine ServiceDesk Plus, build 10012 or olderhttps://www.exploit-db.com/exploits/46413