Several high-profile breaches have been recently reported affecting major cybersecurity and IT companies and possibly affecting multiple government agencies.
On 8 December 2020, the cybersecurity firm FireEye, reported a breach in which internal software tools were stolen. The stolen tools, known as Red Team tools, are used by the company to perform penetration tests of client IT assets. While some of the tools were private and not meant to be publicly available, FireEye distributed some of them freely in their CommandoVM, an open-source virtual machine toolkit for penetration testing. CommandoVM is available on GitHub (https://github.com/fireeye/commando-vm). It is important to note that the stolen tools do not contain any zero-day vulnerabilities.
Every vulnerability the tools exploit is known, in some cases for years, and patches are available to counter them. FireEye has released a list of prioritized CVEs that should be patched to counter their Red Team tools:
- CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10.0
- CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 10.0
- CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8
- CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8
- CVE-2019-0604 – RCE for Microsoft Sharepoint - CVSS 9.8
- CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS) - CVSS 9.8
- CVE-2019-11580 - Atlassian Crowd Remote Code Execution - CVSS 9.8
- CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8
- CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8
- CVE-2014-1812 – Windows Local Privilege Escalation - CVSS 9.0
- CVE-2019-3398 – Confluence Authenticated Remote Code Execution - CVSS 8.8
- CVE-2020-0688 – Remote Command Execution in Microsoft Exchange - CVSS 8.8
- CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows - CVSS 7.8
- CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) - CVSS 7.8
- CVE-2018-8581 - Microsoft Exchange Server escalation of privileges - CVSS 7.4
- CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5
Additionally, indicators of compromise in the form of Yara rules, Snort rules, and AV detection signatures were published to detect the usage of these tools in the wild. This information can be found on Github:
(https://github.com/fireeye/red_team_tool_countermeasures).
In their press release, FireEye concluded the breach was performed by a “nation with top-tier offensive capabilities” but stopped short of naming a specific nation.
The attackers were noted by FireEye to act with extremely disciplined and focused operational security to hide their presence and identity. Tools and techniques were used to hide their activities from forensic and security monitoring software. They also concentrated on seeking customer information relating to government entities.
SolarWinds Breach
On 13 December 2020, FireEye reported their discovery of a globally reaching supply-chain campaign directly resulting from the 8 December breach investigation. Indicators of compromise (IoCs) were observed from compromised organizations dating back to April 2020. Attackers modified legitimate software updates for the SolarWinds Orion network monitoring product and uploaded them to the SolarWinds software update website. From there, customers who downloaded and installed the update from SolarWinds unknowingly also installed the attached malware. It does not self-propagate. Instead, the malware requires a victim to manually download and install a malicious update to spread. The maliciously modified DLL gives attackers backdoor access to infected systems. Dubbed SUNBURST by FireEye investigators, capabilities include:
- Infected system information gathering
- Domain name
- Network interface enumeration
- Process/service enumeration
- Installed drivers
- Read, write, and delete registry keys
- Read, write, and delete files
- Start/Stop processes
- Reboot the system
FireEye noted the attackers that breached SolarWinds also possessed “top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.” They prioritized stealth by using minimal malware, and by masquerading their network traffic as legitimate SolarWinds Orion traffic. Command and control infrastructure hostnames were configured to match legitimate hostnames found in the victim’s infrastructure. Additionally, command and control infrastructure was deployed using virtual private servers within the same country as a victim to decrease the amount of suspicious network traffic from foreign countries.
FireEye published an extensive set of SUNBURST IoCs and countermeasures on Github, including Yara rules, Snort rules, and AV signatures (https://github.com/fireeye/sunburst_countermeasures).
Post compromise activity:
Very little information has been published so far regarding post-exploitation activities aside from deploying Cobalt Strike beacon payloads. Cobalt Strike is a popular, commercially available tool used by penetration testers.
Again, FireEye stopped short of attributing this campaign to a specific nation.
Targeting:
The campaign seems to have been broad in targeting since any organization that downloaded and installed a malicious Orion update could have been infected. FireEye mentions specifically the following industries in North America, Europe, Asia, and the Middle East:
- Government
- Consulting
- Technology
- Telecom
- Extractive
A list of SolarWinds customers has since been removed from their website but could provide a potential victim list. This list contains many large and powerful government agencies, defense contractors, financial institutions, and telecommunications companies.
Red Sky Alliance has been tracking cyber incidents for 9 years. Throughout our research, we have learned through our colleagues and clients that the installation, updating, and monitoring of firewalls, employing cybersecurity practices, and providing proper employee training are keys to success, yet unfortunately at times - not enough. Our current CTAC and RedXray tools provide a valuable look into the underground, where we provide the use of IoC blacklists and show the attacker's tactics and techniques.
Our information can help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.
Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments