On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon. It is unclear today if the attackers intend to use the tools themselves or if they intend to release the tools publicly in some way.
“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination,” said Kevin Mandia, CEO of FireEye. However, the stolen tools did not contain zero-day exploits.
In response to the breach, FireEye has provided Red Team tool countermeasures which are available on GitHub. These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV and HXIOC. Since none of the leaked tools leverage zero-day attacks, FireEye also provided a listing of CVEs used by these tools.
An analysis of these tools shows that the functionality and capabilities may mimic some existing red team tools such as Metasploit or Cobalt Strike. Similar to how the Shadow Brokers leak led to outbreaks such as WannaCry, it is possible that this breach could lead to other commodity malware leveraging these capabilities. Any time there is high-fidelity threat intelligence such as the countermeasures provided by FireEye, it is important to look at it under the lens of how you can protect your organization going forward, as well as how you can validate if this has been used in your organization previously.
Mitigation & Protection
Snort is an open-source intrusion prevention system (IPS) which uses an open format for its rule structure. While many companies use the open-source version of Snort, commercial IPS tools are also able to leverage the Snort rule format. Most of these rules are tuned to specifically look for beacon traffic or components of remote access tools. If your organization is using an IPS or IDS, you should plug in these signatures to look for evidence of future exploitation.
ClamAV is an open-source antivirus engine which is now owned by Cisco. To prevent these tools from executing on the endpoint, the provided signatures can be imported into this AV engine or any other antivirus which uses the ClamAV engine.
Yara was designed by VirusTotal to help malware researchers both identify and classify malware samples. Yara can be used as a standalone scanning engine or built in to many endpoint security products as well. The provided rules can be imported into many endpoint security tools to match and block future execution of known malware.
Another important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities they are known to exploit. There are 16 vulnerabilities which have been prioritized based on the CVSS score associated with them. Using a vulnerability management product such as Qualys VMDR, you can proactively search which endpoints or devices have these vulnerabilities and deploy patches or configuration fixes to resolve them before an adversary has a chance to exploit them.
Hunting for evidence of a breach is just as important as trying to prevent the breach. Two of the components FireEye released to help this search are HXIOC and Yara rules. These help define what triggers to look for to make the determination if the organization has been breached by these tools.
The HXIOC rules provided are based on the OpenIOC format originally created by Mandiant. These are similar to the STIX and CyBOX formats maintained by OASIS. The rules provided by FireEye call out many process names and associated command line arguments which can be used to hunt for the evidence of an attack.
By using the provided Yara rule which encompasses all of the Yara countermeasures, you can scan multiple directories using the standalone Yara engine by issuing the “yara -r all-rules.yara <path>”, where <path> is the location you want to recursively scan.
Alternatively, VirusTotal also has a useful API called RetroHunt which allows you to scan files submitted within the last 12 months. Florian Roth has gone through and submitted all of the provided Yara rules to RetroHunt and created a Google Sheets document containing all of the detections. In this document you can see valuable information such as the number of detections and file hashes for each of the detected samples.
Detect 16 Publicly Known Vulnerabilities using Qualys VMDR
Here is a prioritized list of CVEs published on Github by FireEye:
|CVE ID||Name||CVSS||Qualys QID(s)|
|CVE-2019-11510||Pre-auth arbitrary file reading from Pulse Secure SSL VPNs||10||38771|
|CVE-2020-1472||Microsoft Active Directory escalation of privileges||10||91688|
|CVE-2018-13379||pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN||9.8||43702|
|CVE-2018-15961||RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)||9.8||371186|
|CVE-2019-0604||RCE for Microsoft Sharepoint||9.8||110330|
|CVE-2019-0708||RCE of Windows Remote Desktop Services (RDS)||9.8||91541, 91534|
|CVE-2019-11580||Atlassian Crowd Remote Code Execution||9.8||13525|
|CVE-2019-19781||RCE of Citrix Application Delivery Controller and Citrix Gateway||9.8||150273, 372305|
|CVE-2020-10189||RCE for ZoHo ManageEngine Desktop Central||9.8||372442|
|CVE-2014-1812||Windows Local Privilege Escalation||9||91148, 90951|
|CVE-2019-3398||Confluence Authenticated Remote Code Execution||8.8||13475|
|CVE-2020-0688||Remote Command Execution in Microsoft Exchange||8.8||50098|
|CVE-2016-0167||local privilege escalation on older versions of Microsoft Windows||7.8||91207, 91204|
|CVE-2017-11774||RCE in Microsoft Outlook via crafted document execution (phishing)||7.8||110306|
|CVE-2018-8581||Microsoft Exchange Server escalation of privileges||7.4||53018|
|CVE-2019-8394||Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus||6.5||374547|
Qualys released several remote and authenticated QIDs for CVEs published by FireEye. You can search for these QIDs in VMDR Dashboard by using the following QQL query:
vulnerabilities.vulnerability.qid: [38771, 91688, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91207, 91204, 110306, 53018, 374547]
Identify Vulnerable Assets using Qualys Threat Protection
In addition, Qualys customers can locate vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts. This helps in effectively identifying and tracking these vulnerabilities.
With VMDR Dashboard, you can track these 16 publicly known vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the FireEye Theft Top 16 CVEs & IOC Hashes dashboard.
Hunting in Endpoint Detection and Response (EDR)
There are two components to hunt for evidence of these tools using the Qualys EDR. The first is looking for evidence of the files from the provided Yara signatures. Qualys has taken the file hashes from the RetroHunt tool and created a dashboard. With a single click you can find evidence of any matches in your environment.
The second component is hunting for evidence of the processes outlined in the OpenIOC signatures. While these signatures cannot be imported directly into Qualys EDR, the Qualys Labs team is converting these into Qualys Query Language (QQL) which can be used in the Qualys EDR hunting page. An example provided here shows hunting for this Seatbelt signature. In the coming days, these hunting queries will be available to all Qualys EDR customers.
Get Started Now
Start your Qualys VMDR trial to automatically identify, detect and patch the high-priority publicly known vulnerabilities.
Start your Qualys EDR trial to protect the entire attack chain, from attack and breach prevention to detection and response using the power of the Qualys Cloud Platform – all in a single, cloud-based app.
Start your Qualys Threat Protection trial to access the Live Threat Intelligence Feed that displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details.