FireEye Red Team Toolbox Leak: Implications, Vulnerabilities, and Security Measures

Notice Number: NS-2020-0072

This document pertains to findings from the FireEye Red Team.

2020-12-09

TAG:

FireEye, APT, Red Team toolbox

Impact of Event:

Attackers utilizing this toolbox can pose significant network threats.

Version:

1.0

1 Event Overview

On December 8, local time, the security company FireEye stated in a blog post that a state-sponsored APT group had stolen FireEye’s Red Team toolbox. As it is temporarily unclear whether the attackers will use it themselves or disclose the toolbox, to ensure that various security communities can take preemptive measures, FireEye has disclosed detection rules for the stolen tools to mitigate the threat of malicious users abusing the Red Team toolbox.

SEE MORE →

2 Event Details

From the detection rules, it is inferred that the leaked Red Team toolbox contains at least 60 toolkits. Credential-stealing toolkits include ADPASSHUNT, SAFETYKATZ, while backdoor remote control toolkits include BEACON, DSHELL, REDFLARE (Gorat), and others. Additionally, there are simple scripts for automated reconnaissance, as well as exploitation frameworks like CobaltStrike and Metasploit.

Some of the tools have been published in the community and the open-source virtual machine CommandoVM. Some tools have been modified to bypass conventional security tool detections, and some tools and frameworks are internally developed by the Red Team. The leaked toolbox does not involve zero-day vulnerabilities and unpublished techniques. Currently, there is no evidence of the toolbox being distributed or used.

Involved CVE Vulnerabilities

The 16 CVE vulnerabilities involved in this toolbox are listed below:

Vulnerability Name

Official Link

Microsoft Windows Local Privilege Escalation Vulnerability (CVE-2014-1812)

https://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2014/ms14-025

Microsoft Windows Local Privilege Escalation Vulnerability (CVE-2016-0167)

http://technet.microsoft.com/security/bulletin/MS16-039

Remote Code Execution Vulnerability in Microsoft Outlook through Inducing Users to Manually Execute a Document (Phishing) (CVE-2017-11774)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11774

Fortinet Fortigate SSL VPN Arbitrary File Read Vulnerability (CVE-2018-13379)

https://www.fortiguard.com/psirt/FG-IR-18-384

Adobe ColdFusion Remote Code Execution Vulnerability (Can Be Used to Upload JSP Web Shell) (CVE-2018-15961)

https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html

Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2018-8581)

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2018-8581

Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2019-0604)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604

Microsoft Windows Remote Desktop Services Code Execution Vulnerability (CVE-2019-0708)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708

Pulse Secure SSL VPN Arbitrary File Read Vulnerability (CVE-2019-11510)

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/

Atlassian Crowd Remote Code Execution Vulnerability (CVE-2019-11580)

https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html

Citrix ADC, Citrix Gateway Remote Code Execution Vulnerability (CVE-2019-19781)

https://support.citrix.com/article/CTX267027

Confluence Requires Authentication Remote Code Execution Vulnerability (CVE-2019-3398)

https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html

ZoHo ManageEngine ServiceDesk Plus Arbitrary File Upload Vulnerability (CVE-2019-8394)

https://www.manageengine.com/products/service-desk/on-premises/readme.html

Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-0688)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

ZoHo ManageEngine Desktop Central Remote Code Execution Vulnerability (CVE-2020-10189)

https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html

Microsoft Windows NetLogon Privilege Escalation Vulnerability (CVE-2020-1472)

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1472

Published Detection Rules

FireEye released 311 detection rules for the leaked toolbox, including 165 YARA rules, 34 SNORT rules, 88 IOC rules, and 24 CLAMAV rules.

FireEye Red Team

Download link: https://github.com/fireeye/red_team_tool_countermeasures

3 Security Recommendations

3.1 Vulnerability Assessment

It is recommended that system administrators evaluate whether their business systems are affected by the 16 vulnerabilities in the Red Team toolbox, based on their own assets. If the assets are listed among the vulnerabilities, patches should be installed promptly.

3.2 System File Scanning

YARA is published by VirusTotal for researchers to identify and analyze malicious samples, based on text and binary feature matching principles, and is used through the command line interface or Python scripts with the YARA-Python extension.

1. Download YARA: https://github.com/virustotal/yara

2. Installation method:

Debian/Ubuntu: apt-get install yara, or compile and install yourself.

Redhat/CentOS: yum install yara (requires epel-release installation first), or compile and install yourself.

Windows: directly run the downloaded exe, or compile and install yourself.

3. Download and extract the rules red_team_tool_countermeasures-master.zip, link in the previous chapter.

4. Scan local files

[root@centos7 red_team_tool_countermeasures-master]# yara all-yara.yar -r /

Parameter explanation: -r indicates recursive query of subdirectories, / indicates the directory to be scanned.

If an administrator wants to use ClamAV, Snort rules from the toolbox, they can refer to the official documentation:

http://www.clamav.net/documents/clam-antivirus-user-manual

https://snort.org/documents

3.3 Security Product Protection

As of now, regarding the vulnerabilities involved in this Red Team toolbox, NSFOCUS has basically released product rules. Users with deployed devices are asked to upgrade to the latest version as soon as possible. The detection and protection support status for RSAS, IPS, WAF are as follows:

Vulnerability Number

Vulnerability Name

Supported Security Products

CVE-2014-1812

Microsoft Windows Local Privilege Escalation Vulnerability

 

CVE-2016-0167

Microsoft Windows Local Privilege Escalation Vulnerability

RSAS

CVE-2017-11774

Remote Code Execution Vulnerability in Microsoft Outlook through Inducing Users to Manually Execute a Document (Phishing)

IPS

CVE-2018-13379

Fortinet Fortigate SSL VPN Arbitrary File Read Vulnerability

RSAS, WAF

CVE-2018-15961

Adobe ColdFusion Remote Code Execution Vulnerability (Can Be Used to Upload JSP Web Shell)

RSAS

CVE-2018-8581

Microsoft Exchange Server Privilege Escalation Vulnerability

IPS, RSAS, WAF

CVE-2019-0604

Microsoft SharePoint Remote Code Execution Vulnerability

IPS

CVE-2019-0708

Microsoft Windows Remote Desktop Services Code Execution Vulnerability

IPSRSAS

CVE-2019-11510

Pulse Secure SSL VPN Arbitrary File Read Vulnerability

IPS, RSAS

CVE-2019-11580

Atlassian Crowd Remote Code Execution Vulnerability

RSAS

CVE-2019-19781

Citrix ADC, Citrix Gateway Remote Code Execution Vulnerability

IPS, RSAS, WAF

CVE-2019-3398

Confluence Requires Authentication Remote Code Execution Vulnerability

RSAS, WAF

CVE-2019-8394

ZoHo ManageEngine ServiceDesk Plus Arbitrary File Upload Vulnerability

IPS

CVE-2020-0688

Microsoft Exchange Remote Code Execution Vulnerability

IPS, WAF

CVE-2020-10189

ZoHo ManageEngine Desktop Central Remote Code Execution Vulnerability

IPS, RSAS, WAF

CVE-2020-1472

Microsoft Windows NetLogon Privilege Escalation Vulnerability

IPS, RSAS

END

Author: NSFOCUS Threat Confrontation Capability Department

FireEye Red Team


Disclaimer

This security announcement is solely to describe potential security issues. NSFOCUS provides no warranties or guarantees regarding this security announcement. Any direct or indirect consequences and losses arising from the dissemination or use of the information provided in this security announcement are the user’s responsibility. NSFOCUS and the author of the security announcement bear no responsibility for this.

NSFOCUS reserves the right to modify or interpret this security announcement. If you wish to reproduce or disseminate this security announcement, you must ensure its completeness, including all content such as the copyright statement. Without NSFOCUS’s permission, this security announcement cannot be arbitrarily modified, added to, or used for commercial purposes in any way.