I'm certain everyone reading this was just as shocked by the recent news about the FireEye breach as I was and is diligently trying to assess their current security posture in light of this information. As we at RSA validate and improve our coverage based upon the disclosed data, let us all not miss the larger picture at hand. By focusing on the details within FireEye's blog posts and GitHub countermeasures repository, we can digest the information published to make a dedicated plan for identifying the vulnerabilities these tools exploit and detecting use of the tools themselves within our environments.
It would be easy to miss what I consider a secondary information goldmine due to the sheer volume of signatures cataloged in various formats, and that is the prioritized list of vulnerabilities. Overall, there were 16 related Common Vulnerabilities and Exposures (CVEs) FireEye posted to GitHub which contain multiple remote code execution procedures for various platforms (to include Citrix, Manage Engine, and Confluence) and a few privilege escalation mechanisms:
- CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10.0
- CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 10.0
- CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8
- CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8
- CVE-2019-0604 – RCE for Microsoft Sharepoint - CVSS 9.8
- CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS) - CVSS 9.8
- CVE-2019-11580 - Atlassian Crowd Remote Code Execution - CVSS 9.8
- CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8
- CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8
- CVE-2014-1812 – Windows Local Privilege Escalation - CVSS 9.0
- CVE-2019-3398 – Confluence Authenticated Remote Code Execution - CVSS 8.8
- CVE-2020-0688 – Remote Command Execution in Microsoft Exchange - CVSS 8.8
- CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows - CVSS 7.8
- CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) - CVSS 7.8
- CVE-2018-8581 - Microsoft Exchange Server escalation of privileges - CVSS 7.4
- CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5
What does all of this mean to us? The beauty is that we can lower our overall threat profile and take a driven approach by calculating the current risk within our organizations through reviewing vulnerability scan data, developing an action plan related to patching assets vulnerable to these CVEs, and continuing to assess the situation with an increased risk register applied to the items listed above (remembering asset + threat + vulnerability = risk). This may be a good time to consider a proactive attitude toward integrating this extremely valuable data into a SOAR solution that can ingest, categorize, report, and respond to these indicators in an automated, vendor-agnostic fashion through robust integrations (e.g., RSA NetWitness Orchestrator).
I would also be remiss if I didn’t take the opportunity to discuss the exemplary effort made by Lee Kirkpatrick in his ‘Profiling Attackers Series’ where he covers many of the exploitation frameworks FireEye leveraged as part of their red-team engagements. We know the vast majority (approximately 83%) of these disclosed tools were free and open-source projects and these posts go through a great deal of information on how to detect this nefarious activity within your environments.
At RSA we strive to provide cutting-edge technologies that not only offer unparalleled endpoint, log, network, and behavioral visibility to detect and respond to emerging threats but also provide updated content whenever available to make our customers’ jobs easier and their efforts more impactful. This is no exception. Please see our post highlighting initial detections for more information FireEye Breach - Implementing Countermeasures in RSA NetWitness.