The cybersecurity world was alerted yesterday to the news that FireEye, a well-known firm that helps organizations with cyber security and incident response, has been hacked and that tools they’ve developed were stolen. By drawing comparisons to the April 2017 public release of the NSA’s Eternal Blue exploit tools, initial reporting implied that the tools, now in the hands of the bad guys, may lower the barrier to attacks and present new risks.

In reality, there are some key differences between this situation and the NSA hack that are worth noting. To help cut through the noise, here are three quick takeaways for any organization or cyber insurance broker trying to make quick sense of the story: 

1. Take a breath and count to ten. This is not the NSA 2.0. 

The tools that were taken from FireEye were “red team tools” used to approach clients’ systems adversarially, simulating how sophisticated bad actors would plan and execute an attack based on vulnerable software or configurations of that clients’ environment. Such tools being in the hands of the wrong people sounds scary. However, these are not purpose-built, novel digital weapons like the ones the NSA develops. FireEye’s “arsenal” would have been developed through years of observing the tools, tactics and protocols used by bad actors against FireEye’s clients. True, FireEye may have unique and sophisticated versions of these tools that were in some way different from what was known more widely already, but nothing revealed has been totally groundbreaking.

2. FireEye probably wasn’t surprised 

Given the firm’s quick and comprehensive response, FireEye was clearly prepared for this eventuality — evidence of a “not if, but when” attitude. Since FireEye has made a name for itself by tracking down and outing the actors behind major hacks and helping clients protect themselves, it makes sense that they saw themselves as a major target. FireEye released a detailed listing of their tools and targeted vulnerabilities on Github to allow any security team to examine its own systems and ensure they are protected. (See below for a list of CVEs that should be prioritized as a result of the hack).  

3. Cybersecurity hygiene is the real story

The details the firm released about its tools prove one thing above all: regular lifecycle and vulnerability management is important. The list of critical CVEs with the most potential impact from the tools being used by bad actors (below) looks extensive, but any company that has good cyber hygiene should have patched or otherwise remediated these risks already. Some of them have been identified for over six years; there are no new “zero day” vulnerabilities described (risks that are identified but for which the vendor has not created a patch or other temporary remediation). Rather than a completely new and dangerous set of risks for organizations to worry about, this is a matter of refocusing on the fundamentals of vulnerability management, patch management and general vigilance.  

What to do now

The biggest story of this episode may end up being about FireEye itself: their “secret sauce” has been exposed and their reputation and revenue threatened. How the firm proceeds will be an interesting case study. But that’s for later rumination. Right now, the takeaway for any organization is this: take a breath, check against the vulnerabilities that FireEye identifies, and consider improving your vulnerability management, patching and software lifecycle management if there are any gaps revealed by the exercise. 

Prioritized list of CVEs that should be addressed to limit the effectiveness of the Red Team tools

This is a recommended order and customers may make their own priorities based on their unique environments. If you are a Corvus policyholder or have a client with a Corvus policy and need additional assistance, contact services@corvusinsurance.com to schedule a call with our CISO.

1. CVE-2019-11510 – Pulse Secure VPN – pre-auth arbitrary file reading from Pulse Secure SSL VPNs – CVSS 10.0

2. CVE-2020-1472 – Microsoft Active Directory escalation of privileges – CVSS 10.0

3. CVE-2018-13379 – FortiGate SSL VPN – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN – CVSS 9.8

4. CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) – CVSS 9.8

5. CVE-2019-0604 – RCE for Microsoft Sharepoint – CVSS 9.8

6. CVE-2019-0708 – BlueKeep – RCE of Windows Remote Desktop Services (RDS) – CVSS 9.8

7. CVE-2019-11580 – Atlassian Crowd Remote Code Execution – CVSS 9.8

8. CVE-2019-19781 – Citrix NetScaler – RCE of Citrix Application Delivery Controller and Citrix Gateway – CVSS 9.8

9. CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central – CVSS 9.8

10. CVE-2014-1812 – Windows Local Privilege Escalation – CVSS 9.0

11. CVE-2019-3398 – Confluence Authenticated Remote Code Execution – CVSS 8.8

12. CVE-2020-0688 – Remote Command Execution in Microsoft Exchange – CVSS 8.8

13. CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows – CVSS 7.8

14. CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) – CVSS 7.8

15. CVE-2018-8581 – Microsoft Exchange Server escalation of privileges – CVSS 7.4

16. CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus – CVSS 6.5