The Vulnerabilities FireEye Hackers will Start to Use

Earlier in the week, it was reported that FireEye was breached – likely by Russian hackers.  The hackers supposedly were seeking penetration testing tools used by FireEye’s services to probe high-end clients.

The Vulnerabilities FireEye Hackers will Start to Use

 

 

FireEye suspects these tools are in the hands of the hackers now – and has taken steps to help avoid companies becoming future victims by releasing signatures for these tools on its GitHub page: https://github.com/fireeye/red_team_tool_countermeasures 

From a vulnerability management perspective, FireEye also included a list of vulnerabilities that we have copied below.  While it includes some that have been discussed quite a bit by us and others in the past few months (i.e. Zerologon, and notable vulnerabilities in Citrix, Pulse Secure, and Fortinet products) there are some lesser-known vulnerabilities worthy of note including:

  • a little-known 2014 Windows Vista vulnerability that CYR3CON was tracking intelligence on earlier in the year (and received a maximum CyRating score)
  • a “medium-severity” CVSS-ranked Zoho Manage Engine vulnerability that CYR3CON’s platform was tracking throughout 2019 and upgraded to a maximum CyRating score in May (see screenshot below)

Its interesting to see that CYR3CON was tracking intelligence on all of the vulnerabilities FireEye lists for many months – and all of them carried high CyRating scores (i.e. 10x more likely to be exploited or greater - placing them in the top 20% of vulnerabilities) about 6-9 months ahead of FireEye’s disclosure.  Most of them received the maximum CyRating score. 

This may be a surprise to many people that penetration testing tools, used by some of the best red teams in the industry, are using vulnerabilities that are knowable. With over 1,000 vulnerability disclosures a month and sprawling, increasingly decentralized network infrastructures, hackers can rely on the fact that security and IT teams are overwhelmed – and cannot keep up with the vulnerabilities.

CYR3CON leverages not only intelligence, but machine learning, which compares the intelligence to actual attacks, to predict what will be exploited.  That is why the CYR3CON platform is able to predict vulnerabilities used by the FireEye red teamers. 

Zoho ManageEngine Vulnerability CyRating Changelog Graph: 

Zoho ManageEngine ServiceDesk

List of Vulnerabilities Noted by FireEye:

  • CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs  
  •  
  • CVE-2020-1472 – Microsoft Active Directory escalation of privileges
  •   
  • CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN  
  •  
  • CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)  
  •  
  • CVE-2019-0604 – RCE for Microsoft Sharepoint  
  •  
  • CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS)  
  •  
  • CVE-2019-11580 - Atlassian Crowd Remote Code Execution 
  •  
  • CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway  
  •  
  • CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central
  •   
  • CVE-2014-1812 – Windows Local Privilege Escalation 
  •  
  • CVE-2019-3398 – Confluence Authenticated Remote Code Execution  
  •  
  • CVE-2020-0688 – Remote Command Execution in Microsoft Exchange  
  •  
  • CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows 
  •  
  • CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) 
  •  
  • CVE-2018-8581 - Microsoft Exchange Server escalation of privileges  
  •  
  • CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus  

 

Protect your organization from targeted but unpatched vulnerabilities. Take advantage of the CYR3CON Predictive Threat Assessment to make sure the vulnerabilities actually targeted by hackers are part of your remediation efforts.