Alert Logic is actively researching the targeted compromise of FireEye systems that resulted in the extraction of certain Red Team assessment tools that FireEye uses for security assessment methods. While no public reports of these tools being used maliciously have been identified so far, FireEye has proactively released hundreds of countermeasures to enable mitigation efforts.
The Alert Logic Threat Intelligence team has reviewed the release notes from FireEye to assess how to address these attack methods and will continue this assessment as new information is identified. Any detection of these attack methods will be escalated to customers with intrusion detection system (IDS) subscriptions.
On December 8, FireEye announced a theft of tools used during their penetration tests. Details on the tools are scarce, but according to FireEye, they primarily relate to the reconnaissance and post-exploitation phases of an attack and do not contain any zero-day vulnerabilities.
For more information about this compromise and countermeasures, refer to FireEye’s announcement.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has existing scan coverage for the CVEs identified by FireEye as being vulnerable to the compromised attack tools.
Network IDS: The IDS signatures developed by FireEye have been curated and deployed by the Alert Logic Threat Intelligence team to enable efficient monitoring by the Alert Logic Security Operations Center. Additionally, IDS signatures are available for all CVEs identified by FireEye that are in scope for Alert Logic detection.
Web Application Firewall: Alert Logic has released new web application firewall (WAF) coverage and promoted existing coverage to the Emerging Threats virtual patch rule group to detect attacks targeted at exploiting applicable CVEs related to the FireEye breach. These patches are available to customers running version 4.6 of the Alert Logic WAF appliance. For assistance with determining whether you have enabled virtual patches or to discuss updating your appliance to version 4.6 to take advantage of these patches, submit a ticket to our Alert Logic Security Operations Center. If you plan to newly enable virtual patches, Alert Logic highly recommends working with a Web Security Expert prior to enabling any new patches to ensure proper tuning and continued availability.
Log Management: Alert Logic is actively researching this compromise to determine whether existing or new log coverage can detect associated threats.
Recommendations for Mitigation
Since there are no new vulnerabilities involved with this leak, there are no new patches that need to be deployed. However, it is recommended to ensure that existing patches are installed and verified for the following CVEs:
- CVE-2019-11510 – Pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10.0
- CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 10.0
- CVE-2018-13379 – Pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8
- CVE-2018-15961 – Remote Code Execution (RCE) via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8
- CVE-2019-0604 – RCE for Microsoft Sharepoint - CVSS 9.8
- CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS) - CVSS 9.8
- CVE-2019-11580 - Atlassian Crowd RCE - CVSS 9.8
- CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8
- CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8
- CVE-2014-1812 – Windows local privilege escalation - CVSS 9.0
- CVE-2019-3398 – Confluence authenticated RCE - CVSS 8.8
- CVE-2020-0688 – RCE in Microsoft Exchange - CVSS 8.8
- CVE-2016-0167 – Local privilege escalation on older versions of Microsoft Windows - CVSS 7.8
- CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) - CVSS 7.8
- CVE-2018-8581 - Microsoft Exchange Server escalation of privileges - CVSS 7.4
- CVE-2019-8394 – Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of the article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
12/16/2020: Alert Logic released new WAF coverage and promoted existing coverage to the Emerging Threats virtual patch rule group to detect attacks targeted at exploiting applicable CVEs related to the FireEye breach. These patches are available to customers running version 4.6 of the Alert Logic WAF appliance.