The IT security company FireEye has been hacked. The perpetrators were aiming for customer data, but then used the company’s offensive arsenal. IT managers all over the world are now busy. “Based on my 25 years in IT security (…) I have come to the conclusion that we are observing the attack of a state with the highest level of attack capabilities”, FireEye boss Kevin Mandia had to admit. “This attack differs from the tens of thousands of incidents that we’ve reacted to over the years. ”
The attackers had coordinated their approach to FireEye and proceeded “with discipline and focus”. “They used a new combination of techniques that we and our partners hadn’t seen before,” writes Mandia in the company blog. So far, no active use of the captured attack tools has been noticed. FireEyes share price has fallen more than seven percent after the after-hours trading slump was announced.
Suspicion falls on Russia
Between the lines, FireEye accuses Russian services of the act. The US is hardly suspect as it has long had a direct stake in FireEye In-Q-Tel, the CIA’s venture capital arm. “In line with government espionage efforts, the attacker primarily sought information about specific governments (which FireEyes customers are),” said Mandia. As far as known so far, the attacker was unable to extract data about customers and their IT systems from FireEyes systems. FireEye will contact those affected directly if there are any indications.
Instead, the perpetrators have obtained the tools that FireEyes Red Team uses to run authorized pentests on behalf of customers. How bad that is cannot yet be estimated. If the information from FireEyes is correct, it should be less bad than the break-ins at the NSA four years ago. A group called Shadow Brokers subsequently released NSA tools, which infected hundreds of thousands of Windows computers.
FireEye states that the attackers did not capture zero day exploits or fundamentally new hacking techniques. “The stolen tools range from simple scripts for automated exploration to entire frameworks that resemble publicly available technology,” says Mandia. But “other tools and frameworks that we have developed ourselves for our Red Team” also got into the hands of the attackers.
The scope should be impressive. FireEye already has 300 pieces of advice for concrete action publishedwhich should make it easier to discover the use of the stolen tools. Further suggestions are to follow.
In any case, updates for these security vulnerabilities should be installed immediately:
- CVE-2014-1812 – Windows Local Privilege Escalation
- CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS)
- CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing)
- CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)
- CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway
- CVE-2019-3398 – Confluence Authenticated Remote Code Execution
- CVE-2019-11580 – Atlassian Crowd Remote Code Execution
- CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN
- CVE-2020-0688 – Remote Command Execution in Microsoft Exchange
- CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs
- CVE-2019-0604 – RCE for Microsoft Sharepoint
- CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central
- CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus
- CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows
- CVE-2020-1472 – Microsoft Active Directory escalation of privileges
- CVE-2018-8581 – Microsoft Exchange Server escalation of privileges
How long the hackers in FireEyes network could remain undetected and when the break-in was discovered, Mandia does not reveal. His company has prominent clients including several governments. FireEye receives particular attention when it is called for assistance after particularly large hacks. This was the case, for example, when hackers cracked the data jackpot at Credit Bureau Equifax, or after the Sony Pictures hack.