Unauthorized Access of FireEye Red Team Tools Protection Solution

Unauthorized Access of FireEye Red Team Tools Protection Solution

January 11, 2021 | Mina Hao

Overview

On December 8, 2020, FireEye, a cybersecurity company, posted a blog stating that its internal network was attacked by a sophisticated organization and that FireEye Red Team tools were stolen.

According to FireEye, the stolen Red Team tools were mainly used to provide its customers with basic penetration testing services and did not contain zero-day exploits or unknown techniques. The tools involved include open-source tools, secondary development versions of open-source tools, and some independently developed weaponized tools. In terms of usage, the tools basically cover the various stages of the life cycle of attacks, such as persistence, privilege escalation, defense bypass, credential acquisition, information collection within the domain, and lateral movement. Some of these tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM.

The stolen Red Team tools are like a time bomb. Whether the attacker uses them himself or publicly discloses them, the tools will become a major threat. Therefore, in order to enable organizations to take measures in advance, FireEye has issued countermeasures. NSFOCUS immediately analyzed the countermeasures disclosed by FireEye. Now, it can provide detection and protection capabilities against the stolen tools and the vulnerabilities involved.

Reference link:

https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html

Technical Solutions

FireEye’s Countermeasures

  • Rules for Detecting the Stolen Tools

To help organizations identify the malicious exploit of the stolen tools, FireEye has published the detection rules for the stolen tools at GitHub. The current 311 detection rules include 165 in Yara, 34 in Snort, 88 in IOC, and 24 in ClamAV. The GitHub repository will continue to be updated. Please refer to the following link: https://github.com/fireeye/red_team_tool_countermeasures

  • Vulnerabilities Involved in the Stolen Tools

The GitHub repository published by FireEye has also disclosed 16 known vulnerabilities related to the stolen tools, which affect operating systems as well as applications and network equipment commonly used by enterprises. To fix these vulnerabilities can effectively prevent the Red Team tools from working.

The vulnerabilities are listed in the following table:

CVE IDVulnerability
CVE-2014-1812Windows local privilege escalation
CVE-2016-0167Local privilege escalation on older versions of Microsoft Windows
CVE-2017-11774RCE in Microsoft Outlook via crafted document execution (phishing)
CVE-2018-13379Pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN
CVE-2018-15961RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)
CVE-2018-8581Microsoft Exchange Server privilege escalation
CVE-2019-0604Microsoft Sharepoint RCE
CVE-2019-0708RCE of Windows Remote Desktop Services (RDS)
CVE-2019-11510Pre-auth arbitrary file reading from Pulse Secure SSL VPNs
CVE-2019-11580Atlassian Crowd RCE
CVE-2019-19781RCE of Citrix Application Delivery Controller and Citrix Gateway
CVE-2019-3398Confluence authenticated RCE
CVE-2019-8394Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus
CVE-2020-0688Microsoft Exchange RCE
CVE-2020-10189ZoHo ManageEngine Desktop Central RCE
CVE-2020-1472Microsoft Active Directory privilege escalation
https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md

Workaround

It is recommended that system administrators determine whether the business system is affected by the 16 vulnerabilities involved in the Red Team tools based on their own assets, and install corresponding patches in time for protection.

FireEye also released multiple detection rules for detecting the leaked Red Team tools. Administrators can use the rules in Yara, Snort or ClamAV provided by FireEye for detection and protection according to their own conditions. For specific operations, please refer to the official guidance documents at the following links:

YARA: https://yara.readthedocs.io/en/stable/yarapython.html

SNORT: https://snort.org/documents

ClamAV: http://www.clamav.net/documents/clam-antivirus-user-manual

NSFOCUS’s Recommendations

Based on existing information, NSFOCUS has taken emergency measures against the leaked Red Team tools.

With the update of FireEye’s rules, NSFOCUS will continue to follow up and provide detection and protection capabilities. Users are advised to stay tuned.

  • Detection and Protection for the Stolen Red Team Tools

In order to respond to potential malicious attacks launched by the leak tools, NSFOCUS has updated the NSFOCUS Threat Analysis Center (TAC) based on the rule information disclosed by FireEye to provide users with detection and protection capabilities.

http://update.nsfocus.com/update/listTacDetail/v/ruleV2.0.2

Besides, NSFOCUS Threat Intelligence (NTI) has included and supported the IOC of the leaked tools.

https://nti.nsfocus.com/
  • Detection and Protection for Vulnerabilities Related to the Stolen Red Team Tools

Based on the list of vulnerabilities related to the stolen tools officially released by FireEye, NSFOCUS has confirmed that its products can detect and protect against all the 16 vulnerabilities involved. It is recommended that users who have deployed the following devices upgrade to the latest version as soon as possible.

Detection products: NSFOCUS Remote Security Assessment System (RSAS V6), NSFOCUS Intrusion Detection System (NIDS), and NSFOCUS Unified Threat Sensor (UTS)

  • Remote Security Assessment System (RSAS V6)
http://update.nsfocus.com/update/listRsas
  • NSFOCUS Intrusion Detection System (NIDS)
http://update.nsfocus.com/update/listIds
  • Unified Threat Sensor (UTS)
http://update.nsfocus.com/update/bsaUtsIndex

Protection products: NSFOCUS Intrusion Protection System (NIPS) and NSFOCUS Web Application Firewall (WAF)

  • NSFOCUS Intrusion Protection System (NIPS)
http://update.nsfocus.com/update/listIps
  • NSFOCUS Web Application Firewall (WAF)
http://update.nsfocus.com/update/wafIndex

Platform products:

  • NSFOCUS Threat Analysis and Management Platform (TAM)
https://www.nsfocus.com.cn/html/2019/210_1009/63.html
  • NSFOCUS Enterprise Security Platform (ESP-H)
https://www.nsfocus.com.cn/html/2019/209_1230/96.html
  • NSFOCUS Intelligent Security Operation Platform (ISOP)
http://update.nsfocus.com/update/isopIndex

For details of detection and protection upgrade packages of the above products against each vulnerability, see “Appendix A: Details of Related Vulnerability Detection and Protection”.

Implication

The case of unauthorized access of FireEye Red Team tools is easily reminiscent of the multiple exposures of the “Formula Organization” Arsenal in the past few years. The latter also caused an uproar in the field of cybersecurity. Since then, the impact and harm caused by the leakage and spread of network arsenal has been truly exposed around the world. After all, a considerable number of people have experienced the fear of being dominated by WannaCry.

Once spread, the Red Team tools will greatly facilitate potential attackers and severely disrupt the balance between attackers and defenders. Therefore, holders of similar tools should be more careful in the following aspects:

1. Properly store and preserve tools

In addition to physical storage security, tools can also be encrypted through hard encryption methods such as PGP. In this way, even if the tools are leaked, they cannot be decrypted and used, which can effectively reduce the leakage harm.

2. Strengthen management

Strictly manage the access control of these tools, and restrict the access personnel by setting the authority level. At the same time, query access records at any time via logs to find abnormal access and operations.

3. Standardize personnel operations

After setting the software-level storage and management specifications, it is necessary to strengthen personnel training to avoid non-compliant and improper operations, which may lead to the leakage of similar sensitive tools.

This leakage incident once again alarms security vendors. Everyone should pay more attention to the role of similar “Arsenal” in the games of offense and defense, strengthen relevant internal management, improve response and processing capabilities, and avoid such incidents and reduce the aftermath.

  • Appendix A: Details of Related Vulnerability Detection and Protection
CVE IDNSFOCUS Product RulesUpgrade Package Version
CVE-2014-1812RSASSystem plug-in V6.0R02F01.2012
CVE-2016-0167RSASSystem plug-in V6.0R02F01.2011
CVE-2017-11774RSASSystem plug-in V6.0R02F01.2011
IPS5.6.10.20655
UTS5.6.10.20655
CVE-2018-13379RSASSystem plug-in V6.0R02F01.1812
WAF6.0.7.0.46716/6.0.7.1.46716
Rule ID27004981 fortios_lang_ptravel
CVE-2018-15961RSASSystem plug-in V6.0R02F01.2011
IPS5.6.10.24166
WAF“Illegal file upload protection” policy
UTS5.6.10.24166
CVE-2018-8581RSASSystem plug-in V6.0R02F01.2011
IPS5.6.10.21152
WAF6.0.7.0.46716/6.0.7.1.46716
Rule ID27004964 exchange_privilege_elevation
UTS5.6.10.23542
CVE-2019-0604RSASSystem plug-in V6.0R02F01.2011
IPS5.6.10.23040
UTS5.6.10.23040
CVE-2019-0708RSASSystem plug-in V6.0R02F01.1411
IPS5.6.10.20383
UTS5.6.10.23542
CVE-2019-11510RSASSystem plug-in V6.0R02F01.1812
IPS5.6.10.21238
WAF6.0.7.0.46716/6.0.7.1.46716
Rule ID27004979 pulse_abfile_read
CVE-2019-11580RSASSystem plug-in V6.0R02F01.1505
IPS5.6.10.24166
WAF“Illegal file upload protection” policy
UTS5.6.10.24166
CVE-2019-19781RSASSystem plug-in V6.0R02F01.1812
IPS5.6.10.22558
WAF6.0.7.0.46716/6.0.7.1.46716
Rule ID27004971 citrix_gateway_ptravel
UTS5.6.10.23542
CVE-2019-3398RSASSystem plug-in V6.0R02F01.2011
IPS5.6.10.24166
WAF6.0.7.0.46716/6.0.7.1.46716
Rule ID27004887 confluence_upload_path_travel
UTS5.6.10.24166
IPS5.6.10.19741
WAF“Illegal file upload protection” policy
UTS5.6.10.19741
CVE-2020-0688RSASSystem plug-in V6.0R02F01.2011
IPS5.6.10.22068
WAF6.0.7.0.46716/6.0.7.1.46716
Rule ID27004936 exchange_deserialization_rce
UTS5.6.10.23542
CVE-2020-10189RSASSystem plug-in V6.0R02F01.2011
IPS5.6.10.22284
WAF6.0.7.0.46716/6.0.7.1.46716
Rule ID27004940 zoho_central_deserialization
UTS5.6.10.23542
CVE-2020-1472RSASSystem plug-in V6.0R02F01.1917
IPS5.6.10.23542
UTS5.6.10.23542
  • Appendix B: Product Use Guides
  • Protection Configuration on NIPS

On NIPS, under System > System Update > Offline Update, browse to the update file just downloaded and click Upload.

After the update is installed, find the rule by ID in the default rule base and view rule details.

Note: After the update is installed, the engine automatically restarts to make it take effect, which does not disconnect any sessions, but may cause the loss of three to five packets during ping operations. Therefore, it is recommended that the update be installed at an appropriate time.

  • Protection Configuration on WAF

On WAF, choose System Management > System Tools > Rule Upgrade.

Under Manual Upgrade, browse to the upgrade package and click Submit.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.