PSIRT Blogs
FireEye Red Team Tool Breach
Executive Summary
On December 8th cyber security vendor FireEye reported a breach of their network and data exfiltration which included their internally developed Red Team tools. FireEye took the step of publishing details of these tools in a GitHub repository to allow other vendors to protect against their use by potential adversaries.
This breach has been attributed to a nation state threat actor so we do not expect to see these tools be widely abused in the wild, however with the additional information provided by FireEye, Fortinet have been able to ensure that these tools cannot be abused.
Threat Mitigation
None of the vulnerabilities disclosed as targeted in the tools were zero days, therefore FortiGuard Labs had existing coverage in place for the following CVEs at the time of notification:
|
CVE |
Description |
Sig ID |
Coverage |
|
pre-auth arbitrary file reading from Pulse Secure SSL VPNs |
IPS |
||
|
Microsoft Active Directory escalation of privileges |
IPS |
||
|
pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN |
IPS |
||
|
RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) |
IPS |
||
|
RCE for Microsoft Sharepoint |
IPS |
||
|
RCE of Windows Remote Desktop Services (RDS) |
IPS |
||
|
Atlassian Crowd Remote Code Execution |
IPS |
||
|
RCE of Citrix Application Delivery Controller and Citrix Gateway |
IPS |
||
|
RCE for ZoHo ManageEngine Desktop Central |
IPS |
||
|
Windows Local Privilege Escalation |
FortiClient |
||
|
Confluence Authenticated Remote Code Execution |
IPS |
||
|
Remote Command Execution in Microsoft Exchange |
IPS |
||
|
local privilege escalation on older versions of Microsoft Windows |
IPS |
||
|
RCE in Microsoft Outlook via crafted document execution (phishing) |
IPS |
||
|
Microsoft Exchange Server escalation of privileges |
IPS |
||
|
arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus |
IPS |
Additional Mitigations
One of these targeted vulnerabilities includes a Fortinet vulnerability resolved more than 18 month ago. We are reiterating the urgency given previously to implement the mitigations outlined in the original advisory FG-IR-18-384/CVE-2018-13379 and in this blog.
It is critical to have processes in place to monitor for security updates to all of your products and applications, and to take immediate action when such vulnerabilities are announced, particularly for internet facing services.
To help this process, Fortinet have moved to a monthly vulnerability notification process giving customers a day each month to focus on urgent updates. See here for details of how to receive Monthly and Critical Out of Cycle updates.
For details of the Fortinet PSIRT Policy and to report a vulnerability see the Fortinet PSIRT Policy.
