PSIRT Blogs

FireEye Red Team Tool Breach

By Carl Windsor | December 11, 2020

Executive Summary

On December 8th cyber security vendor FireEye reported a breach of their network and data exfiltration which included their internally developed Red Team tools. FireEye took the step of publishing details of these tools in a GitHub repository to allow other vendors to protect against their use by potential adversaries.

This breach has been attributed to a nation state threat actor so we do not expect to see these tools be widely abused in the wild, however with the additional information provided by FireEye, Fortinet have been able to ensure that these tools cannot be abused.  

Threat Mitigation

None of the vulnerabilities disclosed as targeted in the tools were zero days, therefore FortiGuard Labs had existing coverage in place for the following CVEs at the time of notification:

CVE

Description

Sig ID

Coverage

CVE-2019-11510

pre-auth arbitrary file reading from Pulse Secure SSL VPNs

48342

IPS

CVE-2020-1472

Microsoft Active Directory escalation of privileges

49499

IPS

CVE-2018-13379 

pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN

48321

IPS

CVE-2018-15961 

RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) 


47129

IPS

CVE-2019-0604

RCE for Microsoft Sharepoint

47918

IPS

CVE-2019-0708

RCE of Windows Remote Desktop Services (RDS)

47968

IPS

CVE-2019-11580

Atlassian Crowd Remote Code Execution

48192

IPS

CVE-2019-19781

RCE of Citrix Application Delivery Controller and Citrix Gateway

48653

IPS

CVE-2020-10189

RCE for ZoHo ManageEngine Desktop Central

48794

IPS

CVE-2014-1812

Windows Local Privilege Escalation

23982

FortiClient

CVE-2019-3398 

Confluence Authenticated Remote Code Execution

47983

IPS

CVE-2020-0688 

Remote Command Execution in Microsoft Exchange

48765

IPS

CVE-2016-0167

local privilege escalation on older versions of Microsoft Windows

42285

IPS

CVE-2017-11774

RCE in Microsoft Outlook via crafted document execution (phishing)

48144

IPS

CVE-2018-8581

Microsoft Exchange Server escalation of privileges

47347

IPS

CVE-2019-8394

arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus

48988

IPS

Additional Mitigations

One of these targeted vulnerabilities includes a Fortinet vulnerability resolved more than 18 month ago. We are reiterating the urgency given previously to implement the mitigations outlined in the original advisory FG-IR-18-384/CVE-2018-13379 and in this blog.

It is critical to have processes in place to monitor for security updates to all of your products and applications, and to take immediate action when such vulnerabilities are announced, particularly for internet facing services.  

To help this process, Fortinet have moved to a monthly vulnerability notification process giving customers a day each month to focus on urgent updates.   See here for details of how to receive Monthly and Critical Out of Cycle updates.

For details of the Fortinet PSIRT Policy and to report a vulnerability see the Fortinet PSIRT Policy.

Tags: