Overview
On December 8, 2020, FireEye, a cybersecurity company, posted a blog stating that its internal network was attacked by a sophisticated organization and that FireEye Red Team tools were stolen.
According to FireEye, the stolen Red Team tools were mainly used to provide its customers with basic penetration testing services and did not contain zero-day exploits or unknown techniques. The tools involved include open-source tools, secondary development versions of open-source tools, and some independently developed weaponized tools. In terms of usage, the tools basically cover the various stages of the life cycle of attacks, such as persistence, privilege escalation, defense bypass, credential acquisition, information collection within the domain, and lateral movement. Some of these tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM.
The stolen Red Team tools are like a time bomb. Whether the attacker uses them himself or publicly discloses them, the tools will become a major threat. Therefore, in order to enable organizations to take measures in advance, FireEye has issued countermeasures. NSFOCUS immediately analyzed the countermeasures disclosed by FireEye. Now, it can provide detection and protection capabilities against the stolen tools and the vulnerabilities involved.
Reference link:
Technical Solutions
FireEye’s Countermeasures
- Rules for Detecting the Stolen Tools
To help organizations identify the malicious exploit of the stolen tools, FireEye has published the detection rules for the stolen tools at GitHub. The current 311 detection rules include 165 in Yara, 34 in Snort, 88 in IOC, and 24 in ClamAV. The GitHub repository will continue to be updated. Please refer to the following link: https://github.com/fireeye/red_team_tool_countermeasures
- Vulnerabilities Involved in the Stolen Tools
The GitHub repository published by FireEye has also disclosed 16 known vulnerabilities related to the stolen tools, which affect operating systems as well as applications and network equipment commonly used by enterprises. To fix these vulnerabilities can effectively prevent the Red Team tools from working.
The vulnerabilities are listed in the following table:
CVE ID | Vulnerability |
CVE-2014-1812 | Windows local privilege escalation |
CVE-2016-0167 | Local privilege escalation on older versions of Microsoft Windows |
CVE-2017-11774 | RCE in Microsoft Outlook via crafted document execution (phishing) |
CVE-2018-13379 | Pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN |
CVE-2018-15961 | RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) |
CVE-2018-8581 | Microsoft Exchange Server privilege escalation |
CVE-2019-0604 | Microsoft Sharepoint RCE |
CVE-2019-0708 | RCE of Windows Remote Desktop Services (RDS) |
CVE-2019-11510 | Pre-auth arbitrary file reading from Pulse Secure SSL VPNs |
CVE-2019-11580 | Atlassian Crowd RCE |
CVE-2019-19781 | RCE of Citrix Application Delivery Controller and Citrix Gateway |
CVE-2019-3398 | Confluence authenticated RCE |
CVE-2019-8394 | Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus |
CVE-2020-0688 | Microsoft Exchange RCE |
CVE-2020-10189 | ZoHo ManageEngine Desktop Central RCE |
CVE-2020-1472 | Microsoft Active Directory privilege escalation |
Workaround
It is recommended that system administrators determine whether the business system is affected by the 16 vulnerabilities involved in the Red Team tools based on their own assets, and install corresponding patches in time for protection.
FireEye also released multiple detection rules for detecting the leaked Red Team tools. Administrators can use the rules in Yara, Snort or ClamAV provided by FireEye for detection and protection according to their own conditions. For specific operations, please refer to the official guidance documents at the following links:
YARA: https://yara.readthedocs.io/en/stable/yarapython.html
SNORT: https://snort.org/documents
ClamAV: http://www.clamav.net/documents/clam-antivirus-user-manual
NSFOCUS’s Recommendations
Based on existing information, NSFOCUS has taken emergency measures against the leaked Red Team tools.
With the update of FireEye’s rules, NSFOCUS will continue to follow up and provide detection and protection capabilities. Users are advised to stay tuned.
- Detection and Protection for the Stolen Red Team Tools
In order to respond to potential malicious attacks launched by the leak tools, NSFOCUS has updated the NSFOCUS Threat Analysis Center (TAC) based on the rule information disclosed by FireEye to provide users with detection and protection capabilities.
Besides, NSFOCUS Threat Intelligence (NTI) has included and supported the IOC of the leaked tools.
- Detection and Protection for Vulnerabilities Related to the Stolen Red Team Tools
Based on the list of vulnerabilities related to the stolen tools officially released by FireEye, NSFOCUS has confirmed that its products can detect and protect against all the 16 vulnerabilities involved. It is recommended that users who have deployed the following devices upgrade to the latest version as soon as possible.
Detection products: NSFOCUS Remote Security Assessment System (RSAS V6), NSFOCUS Intrusion Detection System (NIDS), and NSFOCUS Unified Threat Sensor (UTS)
- Remote Security Assessment System (RSAS V6)
- NSFOCUS Intrusion Detection System (NIDS)
- Unified Threat Sensor (UTS)
- NSFOCUS Intrusion Protection System (NIPS)
- NSFOCUS Web Application Firewall (WAF)
Platform products:
- NSFOCUS Threat Analysis and Management Platform (TAM)
- NSFOCUS Enterprise Security Platform (ESP-H)
- NSFOCUS Intelligent Security Operation Platform (ISOP)
For details of detection and protection upgrade packages of the above products against each vulnerability, see “Appendix A: Details of Related Vulnerability Detection and Protection”.
Implication
The case of unauthorized access of FireEye Red Team tools is easily reminiscent of the multiple exposures of the “Formula Organization” Arsenal in the past few years. The latter also caused an uproar in the field of cybersecurity. Since then, the impact and harm caused by the leakage and spread of network arsenal has been truly exposed around the world. After all, a considerable number of people have experienced the fear of being dominated by WannaCry.
Once spread, the Red Team tools will greatly facilitate potential attackers and severely disrupt the balance between attackers and defenders. Therefore, holders of similar tools should be more careful in the following aspects:
1. Properly store and preserve tools
In addition to physical storage security, tools can also be encrypted through hard encryption methods such as PGP. In this way, even if the tools are leaked, they cannot be decrypted and used, which can effectively reduce the leakage harm.
2. Strengthen management
Strictly manage the access control of these tools, and restrict the access personnel by setting the authority level. At the same time, query access records at any time via logs to find abnormal access and operations.
3. Standardize personnel operations
After setting the software-level storage and management specifications, it is necessary to strengthen personnel training to avoid non-compliant and improper operations, which may lead to the leakage of similar sensitive tools.
This leakage incident once again alarms security vendors. Everyone should pay more attention to the role of similar “Arsenal” in the games of offense and defense, strengthen relevant internal management, improve response and processing capabilities, and avoid such incidents and reduce the aftermath.
- Appendix A: Details of Related Vulnerability Detection and Protection
CVE ID | NSFOCUS Product Rules | Upgrade Package Version |
CVE-2014-1812 | RSAS | System plug-in V6.0R02F01.2012 |
CVE-2016-0167 | RSAS | System plug-in V6.0R02F01.2011 |
CVE-2017-11774 | RSAS | System plug-in V6.0R02F01.2011 |
IPS | 5.6.10.20655 | |
UTS | 5.6.10.20655 | |
CVE-2018-13379 | RSAS | System plug-in V6.0R02F01.1812 |
WAF | 6.0.7.0.46716/6.0.7.1.46716 Rule ID27004981 fortios_lang_ptravel | |
CVE-2018-15961 | RSAS | System plug-in V6.0R02F01.2011 |
IPS | 5.6.10.24166 | |
WAF | “Illegal file upload protection” policy | |
UTS | 5.6.10.24166 | |
CVE-2018-8581 | RSAS | System plug-in V6.0R02F01.2011 |
IPS | 5.6.10.21152 | |
WAF | 6.0.7.0.46716/6.0.7.1.46716 Rule ID27004964 exchange_privilege_elevation | |
UTS | 5.6.10.23542 | |
CVE-2019-0604 | RSAS | System plug-in V6.0R02F01.2011 |
IPS | 5.6.10.23040 | |
UTS | 5.6.10.23040 | |
CVE-2019-0708 | RSAS | System plug-in V6.0R02F01.1411 |
IPS | 5.6.10.20383 | |
UTS | 5.6.10.23542 | |
CVE-2019-11510 | RSAS | System plug-in V6.0R02F01.1812 |
IPS | 5.6.10.21238 | |
WAF | 6.0.7.0.46716/6.0.7.1.46716 Rule ID27004979 pulse_abfile_read | |
CVE-2019-11580 | RSAS | System plug-in V6.0R02F01.1505 |
IPS | 5.6.10.24166 | |
WAF | “Illegal file upload protection” policy | |
UTS | 5.6.10.24166 | |
CVE-2019-19781 | RSAS | System plug-in V6.0R02F01.1812 |
IPS | 5.6.10.22558 | |
WAF | 6.0.7.0.46716/6.0.7.1.46716 Rule ID27004971 citrix_gateway_ptravel | |
UTS | 5.6.10.23542 | |
CVE-2019-3398 | RSAS | System plug-in V6.0R02F01.2011 |
IPS | 5.6.10.24166 | |
WAF | 6.0.7.0.46716/6.0.7.1.46716 Rule ID27004887 confluence_upload_path_travel | |
UTS | 5.6.10.24166 | |
IPS | 5.6.10.19741 | |
WAF | “Illegal file upload protection” policy | |
UTS | 5.6.10.19741 | |
CVE-2020-0688 | RSAS | System plug-in V6.0R02F01.2011 |
IPS | 5.6.10.22068 | |
WAF | 6.0.7.0.46716/6.0.7.1.46716 Rule ID27004936 exchange_deserialization_rce | |
UTS | 5.6.10.23542 | |
CVE-2020-10189 | RSAS | System plug-in V6.0R02F01.2011 |
IPS | 5.6.10.22284 | |
WAF | 6.0.7.0.46716/6.0.7.1.46716 Rule ID27004940 zoho_central_deserialization | |
UTS | 5.6.10.23542 | |
CVE-2020-1472 | RSAS | System plug-in V6.0R02F01.1917 |
IPS | 5.6.10.23542 | |
UTS | 5.6.10.23542 |
- Appendix B: Product Use Guides
- Protection Configuration on NIPS
On NIPS, under System > System Update > Offline Update, browse to the update file just downloaded and click Upload.
After the update is installed, find the rule by ID in the default rule base and view rule details.
Note: After the update is installed, the engine automatically restarts to make it take effect, which does not disconnect any sessions, but may cause the loss of three to five packets during ping operations. Therefore, it is recommended that the update be installed at an appropriate time.
- Protection Configuration on WAF
On WAF, choose System Management > System Tools > Rule Upgrade.
Under Manual Upgrade, browse to the upgrade package and click Submit.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.