December 17, 2020
-
Anomali Threat Research
,

FireEye, SolarWinds Hacks Show that Detection is Key to Solid Defense

<p>Several years back, industry analyst firm Gartner began circulating the idea that almost every major enterprise and government agency was either compromised or would be compromised at some point in time. This week, when we woke up to the news that FireEye and SolarWinds had joined the ranks of the hacked, we learned once again that Gartner was right. Even companies with advanced security expertise and expansive resources can’t escape this inevitable fact of digital life.</p> <p>Forensic experts and news outlets are now following the trail of digital clues, trying to make sense of how both companies ended up on the hacked side of the equation. At a high level, we know that FireEye was compromised by a <a href="https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" target="_blank">state-sponsored adversary</a>. In the case of SolarWinds, it is looking like an adversary was able to dwell in victims’ networks for as long as nine months and that the prime suspect is the <a href="https://www.reuters.com/article/global-cyber/u-s-homeland-security-thousands-of-businesses-scramble-after-suspected-russian-hack-idUSKBN28O1Z3" target="_blank">Kremlin</a>.</p> <p>There are undoubtedly many organizations wondering if they are caught up in the attacks, either by design or indirectly. Fortunately, those that have effective threat detection capabilities in place can utilize the information FireEye, SolarWinds, Anomali and other threat research organizations are providing to determine if they’ve been hit.</p> <p>Anomali customers are already ahead of the game. As soon as the world becomes aware of an attack, Anomali Threat Research immediately front-loads Anomali ThreatStream with a threat bulletin that provides a detailed and concise narrative of the situation along with a comprehensive list of the known indicators of compromise (IOCs). Once added, information relevant to the incident (IOCs, reports from the security community, signatures, etc.) are automatically delivered to customers. This gives them the ability to automate threat detection and blocking across their security controls, including EDR, firewalls, and SIEM. In addition, customers using Anomali Match, our threat detection and response product, are able to use the threat intelligence to do a retrospective search back to when the threat was active, getting real-time results showing whether the threat was seen in their network at that time.</p> <p>To provide threat intelligence and security operations analysts with a look at what an Anomali threat bulletin looks like, we’ve added the first version of the FireEye threat bulletin to this blog. We are happy to discuss more deeply how Anomali customers are using this information and continual updates to detect the presence of related IOCs in their environments. Reach us at <a href="mailto:general@anomali.com">general@anomali.com</a>.</p> <p>To listen to a more in-depth conversation on the incident and how threat intelligence aids in detection, listen to this week’s <a href="{page_5164}">Anomali Detect Podcast</a>.</p> <p><img alt="" src="https://cdn.filestackcontent.com/hCKuGN7RnBkprMvv2NQb"/></p> <h2>Key Findings</h2> <ul> <li>Unknown, sophisticated actors stole more than 300 FireEye Red Team tools and countermeasures (signatures) on an unspecified date.</li> <li>An unnamed source for The Washington Post claimed Cozy Bear (APT29), is responsible, but provided no evidence.</li> <li>Actor(s) were also interested in FireEye customers, specifically, government entities.</li> <li>The Red Team countermeasures consisted of custom-versions of known tools, a prioritized Common Vulnerabilities and Exposures (CVE) list, and malware signatures in ClamAV, HXIOC, Snort, and Yara languages.</li> <li>The stolen tools could be customized by actors, just as the FireEye Red Team did to existing tools.</li> </ul> <h2>Overview</h2> <p>On December 8, 2020, US-based cybersecurity firm FireEye stated that a sophisticated threat actor gained unauthorized access to its Red Team (penetration testing) tools.<sup>[1]</sup> FireEye CEO Kevin Mandia believes that a state-sponsored actor specifically targeted FireEye for an attack that utilized “world-class capabilities.”<sup>[2]</sup> As of this writing, the specific time the incident occurred was not reported. However, an unnamed source for Thomson Reuters claimed that the company had been resetting passwords for the past two weeks.<sup>[3]</sup></p> <h2>Details</h2> <p>On an unspecified date, unknown actors used a combination of commodity and new techniques to steal more than 300 tools that FireEye uses in simulated attacks.<sup>[4]</sup> The countermeasures include: custom Red Team tools, a list of CVEs, and numerous signatures in ClamAV, HXIOC, Snort, and Yara languages.<sup>[5]</sup> While we cannot confirm at this time, we assess it is very likely that actors conducted a reconnaissance phase prior to making the theft due to the sophisticated nature of the attack. In response to the breach, FireEye released their countermeasure signatures to the public so security enterprises could proactively defend themselves against what is likely to be an ongoing threat posed by these Red Team tools.<sup>[6]</sup> In addition to stealing Red Team tools, the actors also appeared interested in learning more about FireEye’s government clients.<sup>[7]</sup> This is a strategy consistent with state-sponsored actors, as observed in previous breaches of Bit9, Kaspersky Lab, and RSA, where actors stole intelligence that could be used to bypass then-existing security features.<sup>[8]</sup></p> <p>While Anomali Threat Research has not been able to determine attribution based on our currently available sources, others contend that Russian intelligence services may be responsible because of the actors’ interest in government customers. An unnamed source for The Washington Post claimed that Cozy Bear (APT29, CozyDuke, TheDukes) is behind the attack, but provided no evidence to support this claim.<sup>[9]</sup></p> <p>In addition to the theft of Red Team tools, it appears that the actors were interested in other companies, which we assess likely indicates potential future targeting. However, the manner of this attack, as told by FireEye, and its specificity against the company may indicate advanced persistent threat (APT) group activity. Therefore, it is also possible that actors stole the tools as a cover for other objectives. FireEye’s releasing of detection signatures shows that they are similar to known tools, CobaltStrike and Metasploit, with modifications for their Red Team.<sup>[10]</sup> If the actors are as sophisticated as FireEye has suggested, they will likely be able to take these tools and develop their own modified versions.</p> <p><strong>Table 1</strong> – CVE List Used by FireEye Red Team in Order of Priority<sup>[11]</sup></p> <table class="table table-striped"> <tbody> </tbody> <thead> <tr> <th>CVE</th> <th>Description</th> <th>CVSS</th> </tr> </thead> <tbody> <tr> <td>CVE-2019-11510</td> <td>Pre-auth arbitrary file reading from Pulse Secure SSL VPNs</td> <td>10.0</td> </tr> <tr> <td>CVE-2020-1472</td> <td>Microsoft Active Directory escalation of privileges</td> <td>10.0</td> </tr> <tr> <td>CVE-2019-0604</td> <td>Remote code execution (RCE) for Microsoft Sharepoint</td> <td>9.8</td> </tr> <tr> <td>CVE-2019-0708</td> <td>RCE of Windows Remote Desktop Services (RDS)</td> <td>9.8</td> </tr> <tr> <td>CVE-2019-11580</td> <td>Atlassian Crowd Remote Code Execution</td> <td>9.8</td> </tr> <tr> <td>CVE-2019-19781</td> <td>RCE of Citrix Application Delivery Controller and Citrix Gateway</td> <td>9.8</td> </tr> <tr> <td>CVE-2020-10189</td> <td>RCE for ZoHo ManageEngine Desktop Central</td> <td>9.8</td> </tr> <tr> <td>CVE-2014-1812</td> <td>Windows Local Privilege Escalation</td> <td>9.0</td> </tr> <tr> <td>CVE-2019-3398</td> <td>Confluence Authenticated RCE</td> <td>8.8</td> </tr> <tr> <td>CVE-2020-0688</td> <td>RCE in in Microsoft Exchange</td> <td>8.8</td> </tr> <tr> <td>CVE-2016-0167</td> <td>Local privilege escalation on older versions of Microsoft Windows</td> <td>7.8</td> </tr> <tr> <td>CVE-2017-11774</td> <td>RCE in Microsoft Outlook via crafted document execution (phishing)</td> <td>7.8</td> </tr> <tr> <td>CVE-2018-8581</td> <td>Microsoft Exchange Server escalation of privileges</td> <td>7.4</td> </tr> <tr> <td>CVE-2019-8394</td> <td>Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus</td> <td>6.5</td> </tr> </tbody> </table> <h2>Recommended Actions</h2> <p>We recommend importing all of the signatures provided by FireEye and used to monitor and identify potential malicious activity. In addition, consistent with best practices, reviewing the CVE list and applying patches where necessary is advised. Breaches of well-known companies draw high levels of attention from threat actors as they look for new tools for their arsenal. Knowledge of this incident and implementation of information provided by FireEye will assist in proactive defense.</p> <h2>Endnotes</h2> <p><sup>[1]</sup> FireEye, “Unauthorized Access of FireEye Red Team Tools,” FireEye Blog, accessed December 11, 2020, published December 8, 2020, https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; Kevin Mandia, “FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community,” FireEye Blog, accessed December 11, 2020, published December 8, 2020, https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; Alexa King, “FORM 8-K: FireEye, Inc.,” United States Securities and Exchange Commission, accessed December 11, 2020, published December 8, 2020, https://www.sec.gov/ix?doc=/Archives/edgar/data/1370880/000137088020000037/feye-20201208.htm.</p> <p><sup>[2]</sup> Kevin Mandia, “FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community,” FireEye Blog.</p> <p><sup>[3]</sup> Christopher Bing and Joseph Menn, “U.S. cybersecurity firm FireEye discloses breach, theft of hacking tools,” Thomson Reuters, accessed December 11, 2020, published December 8, 2020, https://www.reuters.com/article/us-fireeye-cyber/us-cybersecurity-firm-fireeye-discloses-breach-theft-of-hacking-tools-idUSKBN28I31E.</p> <p><sup>[4]</sup> FireEye, “Unauthorized Access of FireEye Red Team Tools,” FireEye Blog.</p> <p><sup>[5]</sup> “fireeye / red_team_tool_countermeasures,” GitHub, accessed December 11, 2020, published December 8, 2020, https://github.com/fireeye/red_team_tool_countermeasures.</p> <p><sup>[6]</sup> “fireeye / red_team_tool_countermeasures,” GitHub.</p> <p><sup>[7]</sup> Dustin Volz and Robert McMillan, “U.S. Cyber Firm FireEye Says It Was Breached by Nation-State Hackers,” The Wall Street Journal, accessed December 11, 2020, published December 8, 2020, https://www.wsj.com/articles/u-s-cyber-firm-fireeye-says-it-was-breached-by-nation-state-hackers-11607461408; Greg Myre and Shannon Bond, “Top Cyber Firm, FireEye, Says It’s Been Hacked By A Foreign Govt.,” National Public Radio, accessed December 11, 2020, published December 8, 2020, https://www.npr.org/2020/12/08/944416183/top-cyber-firm-fireeye-says-its-been-hacked-by-a-foreign-govt.</p> <p><sup>[8]</sup> Christopher Bing and Joseph Menn, “U.S. cybersecurity firm FireEye discloses breach, theft of hacking tools,” Thomson Reuters; Dustin Volz and Robert McMillan, “U.S. Cyber Firm FireEye Says It Was Breached by Nation-State Hackers,” The Wall Street Journal.</p> <p><sup>[9]</sup> Ellen Nakashima and Joseph Marks, “Spies with Russia’s foreign intelligence service believed to have hacked a top American cybersecurity firm and stolen its sensitive tools,” The Washington Post, accessed December 11, 2020, published December 8, 2020, https://www.washingtonpost.com/national-security/leading-cybersecurity-firm-fireeye-hacked/2020/12/08/a3369aaa-3988-11eb-98c4-25dc9f4987e8_story.html.</p> <p><sup>[10]</sup> Lucian Constantin, “FireEye breach explained: How worried should you be?” CSO Online, accessed December 11, 2020, published December 10, 2020, https://www.csoonline.com/article/3600893/fireeye-breach-explained-how-worried-should-you-be.html.</p> <p><sup>[11]</sup> “fireeye / red_team_tool_countermeasures,” GitHub.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.