Notice Number: NS-2020-0072
This document pertains to findings from the FireEye Red Team.
2020-12-09
TAG: |
FireEye, APT, Red Team toolbox |
---|---|
Impact of Event: |
Attackers utilizing this toolbox can pose significant network threats. |
Version: |
1.0 |
1 Event Overview
On December 8, local time, the security company FireEye stated in a blog post that a state-sponsored APT group had stolen FireEye’s Red Team toolbox. As it is temporarily unclear whether the attackers will use it themselves or disclose the toolbox, to ensure that various security communities can take preemptive measures, FireEye has disclosed detection rules for the stolen tools to mitigate the threat of malicious users abusing the Red Team toolbox.
SEE MORE →
2 Event Details
From the detection rules, it is inferred that the leaked Red Team toolbox contains at least 60 toolkits. Credential-stealing toolkits include ADPASSHUNT, SAFETYKATZ, while backdoor remote control toolkits include BEACON, DSHELL, REDFLARE (Gorat), and others. Additionally, there are simple scripts for automated reconnaissance, as well as exploitation frameworks like CobaltStrike and Metasploit.
Some of the tools have been published in the community and the open-source virtual machine CommandoVM. Some tools have been modified to bypass conventional security tool detections, and some tools and frameworks are internally developed by the Red Team. The leaked toolbox does not involve zero-day vulnerabilities and unpublished techniques. Currently, there is no evidence of the toolbox being distributed or used.
Involved CVE Vulnerabilities
The 16 CVE vulnerabilities involved in this toolbox are listed below:
Vulnerability Name |
Official Link |
---|---|
Microsoft Windows Local Privilege Escalation Vulnerability (CVE-2014-1812) |
https://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2014/ms14-025 |
Microsoft Windows Local Privilege Escalation Vulnerability (CVE-2016-0167) |
http://technet.microsoft.com/security/bulletin/MS16-039 |
Remote Code Execution Vulnerability in Microsoft Outlook through Inducing Users to Manually Execute a Document (Phishing) (CVE-2017-11774) |
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11774 |
Fortinet Fortigate SSL VPN Arbitrary File Read Vulnerability (CVE-2018-13379) |
https://www.fortiguard.com/psirt/FG-IR-18-384 |
Adobe ColdFusion Remote Code Execution Vulnerability (Can Be Used to Upload JSP Web Shell) (CVE-2018-15961) |
https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html |
Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2018-8581) |
https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2018-8581 |
Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2019-0604) |
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604 |
Microsoft Windows Remote Desktop Services Code Execution Vulnerability (CVE-2019-0708) |
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708 |
Pulse Secure SSL VPN Arbitrary File Read Vulnerability (CVE-2019-11510) |
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ |
Atlassian Crowd Remote Code Execution Vulnerability (CVE-2019-11580) |
https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html |
Citrix ADC, Citrix Gateway Remote Code Execution Vulnerability (CVE-2019-19781) |
https://support.citrix.com/article/CTX267027 |
Confluence Requires Authentication Remote Code Execution Vulnerability (CVE-2019-3398) |
https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html |
ZoHo ManageEngine ServiceDesk Plus Arbitrary File Upload Vulnerability (CVE-2019-8394) |
https://www.manageengine.com/products/service-desk/on-premises/readme.html |
Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-0688) |
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 |
ZoHo ManageEngine Desktop Central Remote Code Execution Vulnerability (CVE-2020-10189) |
https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html |
Microsoft Windows NetLogon Privilege Escalation Vulnerability (CVE-2020-1472) |
https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1472 |
Published Detection Rules
FireEye released 311 detection rules for the leaked toolbox, including 165 YARA rules, 34 SNORT rules, 88 IOC rules, and 24 CLAMAV rules.

Download link: https://github.com/fireeye/red_team_tool_countermeasures
3 Security Recommendations
3.1 Vulnerability Assessment
It is recommended that system administrators evaluate whether their business systems are affected by the 16 vulnerabilities in the Red Team toolbox, based on their own assets. If the assets are listed among the vulnerabilities, patches should be installed promptly.
3.2 System File Scanning
YARA is published by VirusTotal for researchers to identify and analyze malicious samples, based on text and binary feature matching principles, and is used through the command line interface or Python scripts with the YARA-Python extension.
1. Download YARA: https://github.com/virustotal/yara
2. Installation method:
Debian/Ubuntu: apt-get install yara, or compile and install yourself.
Redhat/CentOS: yum install yara (requires epel-release installation first), or compile and install yourself.
Windows: directly run the downloaded exe, or compile and install yourself.
3. Download and extract the rules red_team_tool_countermeasures-master.zip, link in the previous chapter.
4. Scan local files
[root@centos7 red_team_tool_countermeasures-master]# yara all-yara.yar -r /
Parameter explanation: -r indicates recursive query of subdirectories, / indicates the directory to be scanned.
If an administrator wants to use ClamAV, Snort rules from the toolbox, they can refer to the official documentation:
http://www.clamav.net/documents/clam-antivirus-user-manual
3.3 Security Product Protection
As of now, regarding the vulnerabilities involved in this Red Team toolbox, NSFOCUS has basically released product rules. Users with deployed devices are asked to upgrade to the latest version as soon as possible. The detection and protection support status for RSAS, IPS, WAF are as follows:
Vulnerability Number |
Vulnerability Name |
Supported Security Products |
---|---|---|
CVE-2014-1812 |
Microsoft Windows Local Privilege Escalation Vulnerability | |
CVE-2016-0167 |
Microsoft Windows Local Privilege Escalation Vulnerability |
RSAS |
CVE-2017-11774 |
Remote Code Execution Vulnerability in Microsoft Outlook through Inducing Users to Manually Execute a Document (Phishing) |
IPS |
CVE-2018-13379 |
Fortinet Fortigate SSL VPN Arbitrary File Read Vulnerability |
RSAS, WAF |
CVE-2018-15961 |
Adobe ColdFusion Remote Code Execution Vulnerability (Can Be Used to Upload JSP Web Shell) |
RSAS |
CVE-2018-8581 |
Microsoft Exchange Server Privilege Escalation Vulnerability |
IPS, RSAS, WAF |
CVE-2019-0604 |
Microsoft SharePoint Remote Code Execution Vulnerability |
IPS |
CVE-2019-0708 |
Microsoft Windows Remote Desktop Services Code Execution Vulnerability |
IPSRSAS |
CVE-2019-11510 |
Pulse Secure SSL VPN Arbitrary File Read Vulnerability |
IPS, RSAS |
CVE-2019-11580 |
Atlassian Crowd Remote Code Execution Vulnerability |
RSAS |
CVE-2019-19781 |
Citrix ADC, Citrix Gateway Remote Code Execution Vulnerability |
IPS, RSAS, WAF |
CVE-2019-3398 |
Confluence Requires Authentication Remote Code Execution Vulnerability |
RSAS, WAF |
CVE-2019-8394 |
ZoHo ManageEngine ServiceDesk Plus Arbitrary File Upload Vulnerability |
IPS |
CVE-2020-0688 |
Microsoft Exchange Remote Code Execution Vulnerability |
IPS, WAF |
CVE-2020-10189 |
ZoHo ManageEngine Desktop Central Remote Code Execution Vulnerability |
IPS, RSAS, WAF |
CVE-2020-1472 |
Microsoft Windows NetLogon Privilege Escalation Vulnerability |
IPS, RSAS |
END
Author: NSFOCUS Threat Confrontation Capability Department


Disclaimer
This security announcement is solely to describe potential security issues. NSFOCUS provides no warranties or guarantees regarding this security announcement. Any direct or indirect consequences and losses arising from the dissemination or use of the information provided in this security announcement are the user’s responsibility. NSFOCUS and the author of the security announcement bear no responsibility for this.
NSFOCUS reserves the right to modify or interpret this security announcement. If you wish to reproduce or disseminate this security announcement, you must ensure its completeness, including all content such as the copyright statement. Without NSFOCUS’s permission, this security announcement cannot be arbitrarily modified, added to, or used for commercial purposes in any way.