Overview
State Sponsored Attackers Targeted FireEye: US based cybersecurity firm Fire Eye has been attacked by highly sophisticated malicious actors that are believed to be backed by an adversary state.
Details on the Attack
According to the FireEye, the highly sophisticated attack techniques and the discipline with which the attack was conducted led them to believe that the threat was state sponsored. Allegedly, APT29, a.k.a. Russian hacking group Cozy Bear, is the suspect behind the incident, though this has not been validated yet.
A company official declared that the attack was conducted by a nation with top-tier offensive capabilities. This attack was different from the tens of thousands of incidents they have experienced before in that the world class offensive capabilities were tailored to specifically target the FireEye. The attack made use of a novel combination of techniques not witnessed before and used methods that counter the security and forensic examination tools.
FireEye announced that currently they are investigating the incident with FBI and other partners, including Microsoft. It is believed that so far only some Red Team assessment tools that they use to test their customers’ security were accessed and stolen by the attackers and sensitive customer data were not compromised by the attack.
The intent of the attacker on the stolen tools is not known currently. Whether they could be sold, disclosed publicly or used by the attackers in their malicious activities, the company have already taken some precautions against any potential threat that could make use of the stolen tools. To protect the community and their customers, FireEye further details the countermeasures they have taken due to the stolen tools as follows:
- Preparation of countermeasures that can detect and block the use of the stolen Red Team tools.
- Implementing countermeasures into FireEye security products.
- Sharing the taken countermeasures with the community and publicly through the company blog post (Unauthorized Access of FireEye Red Team Tools)
- Sharing the additional mitigations with the community as they become available.
FireEye also shared a list of high priority CVEs that should be addressed to limit the effectiveness of the stolen Red Team tools. For the good news, the list does not contain any zero day vulnerabilities unlike the previous 2017 leak of the NSA tools and exploits by the Shadow Brokers.
- CVE-2019-11510 – Pulse Secure SSL VPNs (Arbitrary File Reading) – CVSS 10.0
- CVE-2020-1472 – Microsoft Active Directory (Privilege Escalation) – CVSS 10.0
- CVE-2018-13379 – Fortinet Fortigate SSL VPN (Arbitrary File Reading) – CVSS 9.8
- CVE-2018-15961 – Adobe ColdFusion (RCE) – CVSS 9.8
- CVE-2019-0604 – Microsoft Sharepoint (RCE) – CVSS 9.8
- CVE-2019-0708 – Windows Remote Desktop Services (RCE) – CVSS 9.8
- CVE-2019-11580 – Atlassian Crowd (RCE) – CVSS 9.8
- CVE-2019-19781 – Citrix Application Delivery Controller and Citrix Gateway (RCE) – CVSS 9.8
- CVE-2020-10189 – ZoHo ManageEngine Desktop Central (RCE) – CVSS 9.8
- CVE-2014-1812 – Windows (Local Privilege Escalation) – CVSS 9.0
- CVE-2019-3398 – Confluence (Authenticated RCE) – CVSS 8.8
- CVE-2020-0688 – Microsoft Exchange (RCE) – CVSS 8.8
- CVE-2016-0167 – Microsoft Windows Older Versions (RCE)- CVSS 7.8
- CVE-2017-11774 – Microsoft Outlook (RCE) – CVSS 7.8
- CVE-2018-8581 – Microsoft Exchange Server (Privilege Escalation) – CVSS 7.4
- CVE-2019-8394 – ZoHo ManageEngine ServiceDesk Plus (Arbitrary File Upload) – CVSS 6.5
Company Profile
Founded in 2004, California based top-tier cyber security firm FireEye specializes in developing defensive and investigative tools against cyber attacks. Some of these tools are even provided as free by the company and can be downloaded from the company web page. Additionally, FireEye publishes threat intelligence reports and analysis on Advanced Persistent Threat (APT) groups.
Advanced Persistent Threat (APT)
“An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.”
Ref: NIST SP 800-39 Managing Information Security Risk
The company also provides high quality cyber security education and training on a wide range of topics listed below.
- Cyber Threat Hunting
- Network Security and Forensics
- Malware Analysis
- Endpoint Security and File Protection
- Email Security
Lessons Learned
Cyber security firms or organizations being breached by malicious actors is not something that’s unheard of. In the past, Kaspersky, Avast, Bit9 etc. have been breached and even tools and exploits were leaked from the NSA. Thus, it is worth remembering that there is no 100% security in cyber security and it seems that FireEye is not an exception to this rule.
You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk.
Kevin Mitnick
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
