Foreign hackers have been using multiple, layered software vulnerabilities to hack into “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East," as described in this FireEye blog post. This Vulcan Cyber blog post explains how to fix the vulnerabilities targeted by the red team tools used in the FireEye hack, initiated by the SolarWinds Sunburst advanced persistent threat attack campaign.
FireEye has done the needful and specifically disclosed the vulnerabilities that their red team tools were designed to ethically exploit. All of the vulnerabilities targeted in the FireEye hack have been disclosed by their respective vendors and have a CVE assigned. More importantly there are fixes, remedies and patches available for each of them detailed below.
Vulcan Cyber, and the vendors who have previously disclosed these vulnerabilities, strongly encourage all IT security teams to quickly evaluate their risk and exposure to these vulns, prioritize them, and then "get fix done" as soon as possible. A list of these vulnerabilities is provided below with recommended remedies linked to in the free Vulcan Remedy Cloud library. These vulnerabilities are the foundational attack vector in this scenario and fixing them should be the first priority in response to this threat.
And while not considered one of the vulnerabilities targeted in the FireEye hack, all SolarWinds Orion customers should quickly update their tools to protect against this potential backdoor by following the instructions in this SolarWinds Security Advisory.
Please also follow the FireEye red team tool countermeasures provided in this blog post and in this FireEye GitHub repo.
A list of CVEs targeted by the FireEye Red Team tools, a brief description of each, its CVSS score, and remedies in Remedy Cloud:
- CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10 - https://www.remedy-cloud.com/cve/CVE-2019-11510
- CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 10 - https://www.remedy-cloud.com/cve/CVE-2020-1472
- CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8 - https://www.remedy-cloud.com/cve/CVE-2018-13379
- CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8 - https://www.remedy-cloud.com/cve/CVE-2018-15961
- CVE-2019-0604 – RCE for Microsoft Sharepoint - CVSS 9.8 - https://www.remedy-cloud.com/cve/CVE-2019-0604
- CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS) - CVSS 9.8 - https://www.remedy-cloud.com/cve/CVE-2019-0708
- CVE-2019-11580 - Atlassian Crowd Remote Code Execution - CVSS 9.8 - https://www.remedy-cloud.com/cve/CVE-2019-11580
- CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8 - https://www.remedy-cloud.com/cve/CVE-2019-19781
- CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8 - https://www.remedy-cloud.com/cve/CVE-2020-10189
- CVE-2014-1812 – Windows Local Privilege Escalation - CVSS 9.0 - https://www.remedy-cloud.com/cve/CVE-2014-1812
- CVE-2019-3398 – Confluence Authenticated Remote Code Execution - CVSS 8.8 - https://www.remedy-cloud.com/cve/CVE-2019-3398
- CVE-2020-0688 – Remote Command Execution in Microsoft Exchange - CVSS 8.8 - https://www.remedy-cloud.com/cve/CVE-2020-0688
- CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows - CVSS 7.8 - https://www.remedy-cloud.com/cve/CVE-2016-0167
- CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) - CVSS 7.8 - https://www.remedy-cloud.com/cve/CVE-2017-11774
- CVE-2018-8581 - Microsoft Exchange Server escalation of privileges - CVSS 7.4 - https://www.remedy-cloud.com/cve/CVE-2018-8581
- CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5 - https://www.remedy-cloud.com/cve/CVE-2019-8394
As with most security threats, there are ways to protect your business from the hackers and the bad actors but it takes work and diligence. Vulcan Cyber and FireEye both make tools used by IT security teams to proactively protect digital business from a long list of vulnerabilities and exploits.
Vulcan Cyber makes vulnerability remediation orchestration tools that help teams fix, patch and remedy known vulnerabilities. FireEye makes tools used by corporate red teams, or ethical hackers, to simulate attacks on a company's people, networks, applications in an effort to measure how well the company can protect itself and withstand an attack from a real-life hacker with bad intentions. If these red team tools got into the hands of actual hackers it could be a bad situation for companies who have yet to remediate the vulnerabilities that can be exploited using the red team tools.
If your company has diligently stayed on top of high-priority vulnerabilities and you remediate known issues in a timely manner, then you probably have nothing to worry about. But a mature vulnerability remediation program is the exception rather than the rule and most companies fall short in their efforts to patch and secure even the most severe vulnerabilities.
Please consider using Remedy Cloud as a free service to help you and your team efficiently identify and fix these 16 vulnerabilities targeted in the SolarWinds and FireEye hack.