FireEye’s stolen Pentesting Tools & the vulnerabilities they target
Posted on 10th Dec, 2020 | By Sumeetha
CSW analyzed the vulnerabilities (impacted by FireEye’s stolen pentesting tools) and found that Chinese & Iranian APT Groups target them routinely. These CVEs are also favorite targets of Ransomware such as Ryuk, Maze, Netwalker.
Two days ago, US Cybersecurity firm FireEye was attacked by a nation-state group who stole their pentesting tools. The ramification of such a breach is monumental because FireEye’s ‘red team’ tools are used by their team to assess evolving zero-day security threats.
The high-level sophistication of this attack raises suspicion that these hackers were supported by a hostile nation state. FireEye CEO Kevin Mandia said, "This attack is different from the tens of thousands of incidents we have responded to throughout the years. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past."
While FireEye has been releasing countermeasures to protect networks and devices from these stolen tools, we decided to analyze the specific vulnerabilities that these tools target and learn more about them.
At the outset, these FireEye tools target 16 vulnerabilities listed below. Here are a few key findings from our analysis of these vulnerabilities –
We identified 7 APT Groups that are known to target these vulnerabilities. We also found that 4 of them are identified as Chinese State actors and 2 are of Iranian origin.
These vulnerabilities are well-known weaknesses with active exploits and are used commonly by pen testers world-wide.
All vulnerabilities have known exploits therefore patching them is extremely critical.
We also observed that these vulnerabilities are evolving away from operating systems and are targeting SaaS products such as Zoho
These vulnerabilities are actively being targeted not just by APT groups but also by 15 ransomwares, the most notorious among them are Maze, Netwalker, Ryuk, Revil/Sodinokibi, Ragnarok, Snake, etc.
These vulnerabilities are largely present in VPNs and SaaS-based products like Zoho, Adobe, and using these weaknesses threat actors routinely target hospitals, schools, universities, etc.
CSW warned about 2 vulnerabilities (CVE-2019-11510 & CVE-2019-19781) in our Cyber Risk reports way back in March 2020 when COVID-19 hit the world. 10 out of 16 vulnerabilities that exposed FireEye were also included in RiskSense’s Attack Surface list that were first published on October 28, 2020.
We also found that CVE-2020-10189 and CVE-2019-8394 affect Zoho SaaS products exposed to the Internet and our exposure analysis shows that 7000+ entities world-wide and 630 from India are vulnerable to this weakness.
While vulnerabilities in all these products need to be fixed immediately, we should also note that the emergence of weaknesses such as these in Indian products like Zoho ought to ring warning bells all over. With ransomware attacks moving from OS layer to SaaS products, companies like Zoho should start taking cybersecurity seriously, or else hostile nation-states will take over vulnerable organizations around the globe.
Check out our analysis of vulnerabilities and its mapping to ransomwares, APT Groups, Exploits etc.