This week’s admission by FireEye that a suspected nation-state made off with so-called red team test tools it uses to probe customers’ networks for vulnerabilities has made some infosec pros uneasy.
On the one hand, as many experts quickly noted, this wasn’t like the 2017 Shadow Brokers hack of the NSA which publicly revealed secret software exploits the U.S. intelligence agency used to break into targets. FireEye describes the stolen goods as ranging from “simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit.”
Many of the tools have already been released to the infosec community, it added. FireEye quickly released what it says are hundreds of countermeasures and signatures to enable IT teams to detect the use of these tools by adversaries. These rules work with the Snort open-source intrusion prevention platform, the Yara malware classification engine, the ClamAV anti-virus engine. These rules and indicators of compromise can also be added to security information and event management platforms (SIEMs).
However, the tools do look for a number of common software vulnerabilities for which patches have been issued. Infosec leaders would be wise to make sure these have been installed.
These are:
CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs – CVSS 10.0
CVE-2020-1472 – Microsoft Active Directory escalation of privileges – CVSS 10.0
CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN – CVSS 9.8
CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) – CVSS 9.8
CVE-2019-0604 – RCE for Microsoft Sharepoint – CVSS 9.8
CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS) – CVSS 9.8
CVE-2019-11580 – Atlassian Crowd Remote Code Execution – CVSS 9.8
CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway – CVSS 9.8
CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central – CVSS 9.8
CVE-2014-1812 – Windows Local Privilege Escalation – CVSS 9.0
CVE-2019-3398 – Confluence Authenticated Remote Code Execution – CVSS 8.8
CVE-2020-0688 – Remote Command Execution in Microsoft Exchange – CVSS 8.8
CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows – CVSS 7.8
CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) – CVSS 7.8
CVE-2018-8581 – Microsoft Exchange Server escalation of privileges – CVSS 7.4
CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus – CVSS 6.5
Ed Dubrovsky, the managing partner of Toronto-based incident response firm Cytelligence, noted details of how the attack succeed haven’t been revealed, and he suspects more was taken than FireEye thinks. “Threat actors are rarely that surgically precise unless this was an insider job,” he said in an email.
But, he added, the incident is indicative of the state of cybersecurity. “This is exactly what I keep on speaking about to the industry,” he said. “No tool guarantees 100 per cent safety from cyber attacks. I would actually evaluate the max effectiveness of any tool or combination of tools to have less than 60 per cent effectiveness.”
Infosec pros should respond to this incident in a way they react to any threat, by assessing the risk to their digital assets, including those shared with partners. That includes
- Educate – teach executives about the risks and why it matters to their business. This should also include employees, vendors, and anyone else connecting to your digital assets
- Build a strategy to address the risks – this should include both mitigation, and transfer of risks (e.g. Cyber insurance)
- Build relationships – establish relationships with the right firms to assist in times of crisis. Do not just buy a “retainer” actually maintain dialogue and engagement. Treat these firms like doctors and your dialogues as though they are “check-ups”.
- Build policies and processes and appropriate oversight to ensure these are being complied to.
- Acquire technical tools – I am not going to delve into this item because the need for technical controls would be different between one organization and the next. Have an expert assess your posture, budget, the type of digital assets and ensure that your “locks on the doors” are appropriate and even whether the “doors” are needed.
“Do not bash a firm for being attacked,” Dubrovsky added. “This is happening on an alarming increasing scale and everyone is a target. The approach to managing risk should not change, unless an organization is spending far too little on security their digital assets.”
