Following FireEye Hack, Ensure These 16 Bugs Are PatchedHunters Could Become the Hunted After Theft of Cybersecurity Firm's Hacking Tools
Because 2020 wasn't already exciting enough, now we have to worry about being hunted by adversaries wielding FireEye's penetration testing tools, thanks to the company having been hacked (see: FireEye Says Nation-State Attackers Stole Pen Test Tools).
FireEye, one of the world's leading cybersecurity firms, is regularly called upon for its incident response and breach investigation capabilities. But it also helps customers simulate attacks, using pen test tools as part of so-called "red team" exercises. These involve good guys pretending to be bad guys by using tactics, techniques and procedures that emulate how hacking teams operate.
"Even if these tools get dumped, attackers will need time to understand them before using."
"The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as Cobalt Strike and Metasploit," FireEye says. "Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our red team."
Penetration testing tools, in the hands of the good guys, help test security to make it better. But in the hands of anyone with malicious intent, the same tools can also penetrate networks and facilitate data exfiltration - among other problems (see: Fire in the Hole).
Following the hacking of its tools, FireEye has released a set of more than 300 countermeasures via GitHub.
The good news is that FireEye's tools are designed to target a number of specific vulnerabilities for which patches have already been released.
The bad news is that, although some organizations will have patched all the targeted flaws, many will not have done so, as demonstrated by the fact that the oldest flaw being targeted was first reported in 2014.
That's precisely why hackers - including nation-state attack teams and organized crime gangs - target such flaws: They persist. In addition, attackers use threat emulation software, including Cobalt Strike, because it works.
16 High-Priority Flaws for Patching
Reviewing what FireEye has publicly disclosed to date, Cisco Talos Intelligence has listed 16 CVEs - definitions for cybersecurity vulnerabilities and exposures - that are targeted by FireEye's tools:
|CVE-2018-13379||Fortinet FortiGuard FortiOS|
|CVE-2019-0708||Microsoft Remote Desktop Services|
|CVE-2019-11580||Atlassian Crowd and Crowd Data Center|
|CVE-2019-19781||Citrix Application Discovery Controller and Citrix Gateway|
|CVE-2020-10189||Zoho ManageEngine Desktop Central|
|CVE-2014-1812||Group Policy implementation in Microsoft Windows|
|CVE-2019-3398||Confluence Server and Data Center|
|CVE-2018-8581||Microsoft Exchange Server|
|CVE-2019-8394||Zoho ManageEngine ServiceDesk Plus|
"Many of these tools and the vulnerabilities they exploit should be covered by existing defensive products," Cisco says. None are zero-day flaws.
We've tested and confirmed that many of our previous Snort rules protect users against the vulnerabilities related to the recent #FireEye incident. Here's everything we know about the vulns that are out there and our accompanying detection https://t.co/P8J0ZXoGQE pic.twitter.com/rNDeJdS64C— Cisco Talos Intelligence Group (@TalosSecurity) December 10, 2020
Some of the above vulnerabilities have previously been the focus of government security alerts urging swift patching to block attacks (see: Patch or Perish: Nation-State Hacker Edition).
Will Chaos Ensue?
The goal of whoever hacked FireEye may have been to steal its penetration testing tools and use them to attack others. Or the goal may have been to reverse-engineer the tools, seeking novel ways of hacking targets while staying below a leading cybersecurity firm's radar.
If that sounds like a lot of "maybes," it's because most of the details about this breach have yet to come to light.
"Initial reports are often wrong or incomplete. Nevertheless, the initial reporting indicates a significant attack that has far-ranging impact," says Greg Touhill, a retired U.S. brigadier general who served as the country's first federal CISO.
"This is a real coup for the attacker," adds Touhill, who's now CEO of Appgate Federal. "FireEye has a significant customer base, especially in the government sector, and the information obtained is not trivial. The attackers can use the information to refine their tactics, techniques and procedures in numerous other attacks or campaigns."
FireEye announced the hack on Tuesday, but it hasn't yet said when the breach occurred. Defenders may still have some time to patch the above vulnerabilities and better protect themselves - and not just against FireEye's errant penetration testing tools.
"Even if these tools get dumped," says Jake Williams, a former member of the NSA's elite hacking team who now runs the cybersecurity consultancy Rendition Infosec, "attackers will need time to understand them before using."