This week, FireEye’s proprietary red team tools (pen-testing and hacking) were stolen. It appears the attack was executed by highly advanced nation-state threat groups after breaching FireEye systems with "novel” and “previously unseen” techniques.
This successful attack has critical implications. A new set of sophisticated hacking tools have joined the cyberattack arena that gives skilled threat actors a powerful new way to target attack surface weaknesses, vulnerabilities, and exposures worldwide. While these hijacked red team tools did not contain any 0-day exploits, they put digital assets outside the firewall, such as web apps, devices, services, pages, in immediate jeopardy.
RiskIQ's unique internet-wide visibility gives our customers an advantage in protecting their attack surfaces from this newly heightened threat. Our Illuminate Platform finds digital assets connected to an organization outside their internal network, providing visibility into those that may be vulnerable to attacks, including their critical CVEs.
In response to the breach, FireEye provided over 300 detection countermeasures to the community to assist in detection, including network (Snort), antivirus (Antivirus), and host (Yara) signatures. These signatures, which have been implemented by RiskIQ’s global discovery systems, can be used by defenders in retrospective threat hunting and active detection.
Additionally, FireEye released a prioritized list of CVEs that these stolen tools exploited, which all organizations should address immediately. RiskIQ’s research team is continuing to refine our signatures to ensure more granular detection capabilities for the CVE's in question.
Each of these CVEs, listed below, is covered in a new RiskIQ dashboard:
- CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10.0
- CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 10.0
- CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8
- CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8
- CVE-2019-0604 – RCE for Microsoft Sharepoint - CVSS 9.8
- CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS) - CVSS 9.8
- CVE-2019-11580 - Atlassian Crowd Remote Code Execution - CVSS 9.8
- CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8
- CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8
- CVE-2014-1812 – Windows Local Privilege Escalation - CVSS 9.0
- CVE-2019-3398 – Confluence Authenticated Remote Code Execution - CVSS 8.8
- CVE-2020-0688 – Remote Command Execution in Microsoft Exchange - CVSS 8.8
- CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows - CVSS 7.8
- CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) - CVSS 7.8
- CVE-2018-8581 - Microsoft Exchange Server escalation of privileges - CVSS 7.4
- CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5
RiskIQ gives our customers the most up-to-date attack surface intelligence, and our research team creates new detections daily to stay ahead of risks and threats.
RiskIQ's global web app index is the most comprehensive library of components and applications so customers can find relevant attack surface targets—applications, services, devices, and code—not just IP addresses. Our global web app index is the most comprehensive library of components and applications so customers can find relevant attack surface targets—applications, services, devices, and code—not just IP addresses.
RiskIQ Delivers Global Real-time Attack Surface Intelligence
RiskIQ provides full attack surface intelligence—including app and service layers—needed to find many of the CVEs released by FireEye, along with other exposures and risk factors.
Powered by our Global Collection Network and Attack Surface Intelligence, RiskIQ collects and graphs real-world observations. Our Internet Intelligence Graph captures real risks and threats that scanners miss, including PassiveDNS, Domain Records, WHOIS, Open Ports/Service Discovery, Deep/Dark Web, Certificates, Application Behavior, and more than 50 others.
Join the RiskIQ Community for threat intelligence and indicators across the global attack surface.