Euro Security Watch with Mathew J. Schwartz

Endpoint Security , Governance & Risk Management , IT Risk Management

Following FireEye Hack, Ensure These 16 Bugs Are Patched

Hunters Could Become the Hunted After Theft of Cybersecurity Firm's Hacking Tools
Following FireEye Hack, Ensure These 16 Bugs Are Patched

Because 2020 wasn't already exciting enough, now we have to worry about being hunted by adversaries wielding FireEye's penetration testing tools, thanks to the company having been hacked (see: FireEye Says Nation-State Attackers Stole Pen Test Tools).

See Also: What is next-generation AML?

FireEye, one of the world's leading cybersecurity firms, is regularly called upon for its incident response and breach investigation capabilities. But it also helps customers simulate attacks, using pen test tools as part of so-called "red team" exercises. These involve good guys pretending to be bad guys by using tactics, techniques and procedures that emulate how hacking teams operate.

"Even if these tools get dumped, attackers will need time to understand them before using." 

"The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as Cobalt Strike and Metasploit," FireEye says. "Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our red team."

Penetration testing tools, in the hands of the good guys, help test security to make it better. But in the hands of anyone with malicious intent, the same tools can also penetrate networks and facilitate data exfiltration - among other problems (see: Fire in the Hole).

Following the hacking of its tools, FireEye has released a set of more than 300 countermeasures via GitHub.

The good news is that FireEye's tools are designed to target a number of specific vulnerabilities for which patches have already been released.

"The attacker can use the information to refine their tactics, techniques and procedures in numerous other attacks or campaigns," warns retired Brigadier Gen. Greg Touhill

The bad news is that, although some organizations will have patched all the targeted flaws, many will not have done so, as demonstrated by the fact that the oldest flaw being targeted was first reported in 2014.

That's precisely why hackers - including nation-state attack teams and organized crime gangs - target such flaws: They persist. In addition, attackers use threat emulation software, including Cobalt Strike, because it works.

16 High-Priority Flaws for Patching

Reviewing what FireEye has publicly disclosed to date, Cisco Talos Intelligence has listed 16 CVEs - definitions for cybersecurity vulnerabilities and exposures - that are targeted by FireEye's tools:

CVE Product
CVE-2019-11510 Pulse Secure
CVE-2020-1472 Netlogon (Windows)
CVE-2018-13379 Fortinet FortiGuard FortiOS
CVE-2018-15961 Adobe ColdFusion
CVE-2019-0604 Microsoft SharePoint
CVE-2019-0708 Microsoft Remote Desktop Services
CVE-2019-11580 Atlassian Crowd and Crowd Data Center
CVE-2019-19781 Citrix Application Discovery Controller and Citrix Gateway
CVE-2020-10189 Zoho ManageEngine Desktop Central
CVE-2014-1812 Group Policy implementation in Microsoft Windows
CVE-2019-3398 Confluence Server and Data Center
CVE-2020-0688 Microsoft Exchange
CVE-2016-0167 Microsoft Windows
CVE-2017-11774 Microsoft Outlook
CVE-2018-8581 Microsoft Exchange Server
CVE-2019-8394 Zoho ManageEngine ServiceDesk Plus

"Many of these tools and the vulnerabilities they exploit should be covered by existing defensive products," Cisco says. None are zero-day flaws.

Some of the above vulnerabilities have previously been the focus of government security alerts urging swift patching to block attacks (see: Patch or Perish: Nation-State Hacker Edition).

Will Chaos Ensue?

The goal of whoever hacked FireEye may have been to steal its penetration testing tools and use them to attack others. Or the goal may have been to reverse-engineer the tools, seeking novel ways of hacking targets while staying below a leading cybersecurity firm's radar.

If that sounds like a lot of "maybes," it's because most of the details about this breach have yet to come to light.

"Initial reports are often wrong or incomplete. Nevertheless, the initial reporting indicates a significant attack that has far-ranging impact," says Greg Touhill, a retired U.S. brigadier general who served as the country's first federal CISO.

"This is a real coup for the attacker," adds Touhill, who's now CEO of Appgate Federal. "FireEye has a significant customer base, especially in the government sector, and the information obtained is not trivial. The attackers can use the information to refine their tactics, techniques and procedures in numerous other attacks or campaigns."

FireEye CEO Kevin Mandia revealed the hack attack in a blog post on Tuesday. (Photo: Stuart Isett/Fortune Brainstorm Tech, via Flickr/CC)

FireEye announced the hack on Tuesday, but it hasn't yet said when the breach occurred. Defenders may still have some time to patch the above vulnerabilities and better protect themselves - and not just against FireEye's errant penetration testing tools.

"Even if these tools get dumped," says Jake Williams, a former member of the NSA's elite hacking team who now runs the cybersecurity consultancy Rendition Infosec, "attackers will need time to understand them before using."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.