US Cybersecurity firm FireEye was attacked by a nation-state group who was able to steal their pen-testing tools and exploit kits. The ramification of such a breach is monumental because FireEye’s Red Team tools are used to assess evolving zero-day security threats and test the exposure organizations may have to these types of threats. It’s another reminder that risk exposure happens to all types of organizations.
The high-level sophistication of this attack raises the suspicion that these hackers were supported by a hostile nation-state. FireEye CEO Kevin Mandia said, “This attack is different from the tens of thousands of incidents we have responded to throughout the years. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
FireEye has been releasing countermeasures to inform and direct organizations on how to protect their networks and devices from these stolen tools. We decided to analyze the specific vulnerabilities that these tools target to learn more about them. As we continuously update threat-context to our vulnerability data it turns out that 9 out of the 16 vulnerabilities leveraged by this toolset were already included in the RiskSense Attack Surface system filter list, updated on October 28, 2020. Our users with one click can see all of the open findings that are associated with this curated list providing a quick view of what the RiskSense research and security team considers to be the most critical.
This incident does point to the need for heightened awareness and faster remediation. Here is an overview of the additional information our team has uncovered about these threats:
- The vulnerabilities the exploit kit leveraged were also vulnerabilities with strong ties to Chinese and Iranian threat actors. In total, 7 APT groups with 4 associated with Chinese state actors, and 2 of Iranian origin.
- Ransomware families Ryuk, Maze, Netwalker, Revil/Sodinokibi, Ragnarok, Snake, and others use them, for a total of 15 ransomware variants at the time of this writing.
- Only three of them are vulnerabilities from 2020, the rest range in age with the oldest from 2014.
- The vulnerabilities span the expected vendors like Microsoft, Adobe, but the list includes others associated with growing SaaS products like Zoho, and also VPN technologies.
While it is disheartening that this occurred, weaponized vulnerabilities are the source of concern for all organizations. Read more about what has been written about some of these vulnerabilities.
- In the Cyber Risk of Working Remote report in March 2020, when COVID-19 was just beginning, 2 vulnerabilities (CVE-2019-11510 & CVE-2019-19781) were highlighted.
- RiskSense delivers a tool to detect Zerologin (CVE-2020-1472) exposure
Review the entire vulnerability list associated with the FireEye stolen toolkit from our research partner, Cyber Security Works.