FireEye Breach Requires Immediate Action to Protect Your Organization's Data

F

ireEye recently disclosed a breach of their own systems by a nation state. The breach is presumably the work of Russian state actors and is being investigated by the FBI Russian specialists. The breach resulted in a set of proprietary “Red Team” tools used with FireEye’s Commando VM being stolen. Commando VM is a penetration testing tool purpose-built for exploiting Windows devices. The tool leverages a list of known vulnerabilities to gain network access and identify flaws in FireEye customers’ security.


What This Means for Your Organizational Security

A similar breach occurred in 2016 when the NSA disclosed the theft of a tranche of hacking tools by a yet unidentified organization known as the ShadowBrokers. The tools were used by North Korean and Russian actors in devastating attacks on government agencies, healthcare, and many large firms leading to more than $10 billion in damages. Although the NSA tools were likely more sophisticated than Commando VM, the FireEye breach is practically guaranteed to lead to breaches of other targets in the very near future. The custom tools for Commando VM are now in the wild and organizations must prepare.


FireEye Identifies 16 Vulnerabilities to Patch Now

As part of the disclosure, FireEye identified 16 vulnerabilities commonly used by the stolen version of the Commando VM tool that they recommend organizations prioritize and patch immediately.

The vulnerabilities disclosed cover a broad set of applications and common services found on Windows devices. Notably, there are vulnerabilities dating back as far as 2014 being actively targeted by FireEye’s proprietary tools for Commando VM. FireEye’s disclosure of these vulnerabilities commonly targeted by their internal tools is a huge help to the industry in minimizing the damage from the breach to other organizations.

CVE

Description

CVSS Score

CVE-2019-11510

pre-auth arbitrary file reading from Pulse Secure SSL VPNs

10.0

CVE-2020-1472 

Microsoft Active Directory escalation of privileges

10.0

CVE-2018-13379

pre-auth arbitrary file from Fortinet Fortigate SSL VPN

9.8

CVE-2018-15961

RCE via Adobe ColdFusion

9.8

CVE-2019-0604

RCE for Microsoft Sharepoint

9.8

CVE-2019-0708 

RCE of Windows Remote Desktop Services

9.8

CVE-2019-11580 

Atlassian Crowd Remote Code Execution

9.8

CVE-2019-19781

RCE of Citrix Application Delivery Controller/Citrix Gateway

9.8

CVE-2020-10189 

RCE for ZoHo ManageEngine Desktop Central

9.8

CVE-2014-1812 

Windows Local Privilege Escalation

9.0

CVE-2019-3398 

Confluence Authenticated Remote Code Execution

8.8

CVE-2020-0688 

Remote Command Execution in Microsoft Exchange

8.8

CVE-2016-0167

local privilege escalation on older versions of Windows

7.8

CVE-2017-11774 

RCE in Microsoft Outlook via crafted document (phishing) 

7.8

CVE-2018-8581*

Microsoft Exchange Server escalation of privileges

7.4

CVE-2019-8394

arbitrary pre-auth upload to ManageEngine ServiceDesk 

6.5

*This vulnerability can be addressed with a Worklet found on the Automox Community website here.


How to Reduce Your Exposure

Evaluate and understand your environment. The 16 disclosed target CVEs are an absolute minimum to understand your organization’s exposure to this breach. Identify any endpoints with these vulnerabilities immediately, and begin remediating them to minimize your attack surface and limit exposure to these sophisticated adversaries.

Additionally, ensure that you have full visibility of your environment. If you can’t see it, you can’t address it. According to a Ponemon study:

  • 75% of companies are not keeping up with patching
  • 63% of companies can’t monitor off network endpoints
  • 48% of companies are dissatisfied with their current endpoint solution
  • 21% of companies have no endpoint security solution
  • 61% of companies want automation as part of their endpoint security

Finally, take the time to understand how many missing patches there are in your environment and bring those systems up to date. As the Ponemon study pointed out, three quarters of companies can’t keep up with patching. And nearly two thirds can’t manage remote endpoints. Even for those companies that have patching solutions, nearly half are not happy with the results they’re getting. Quickly patching known vulnerabilities can significantly reduce your attack surface. Despite this, many organizations fail to adequately update systems in a timely manner due to lack of automation or poor visibility.

Automox can automate your patch management, enabling you to take action and not just telling you what you need to do. This removes the time-consuming element of patch management by automating the entire process, from identifying missing patches to downloading and applying them on a schedule you control. This can reduce your time to patch by 90% or more and enable you to focus on other critical activities.



About Automox Automated Patch Management

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

More posts like this:

VulnerabilityCybersecurity
# of endpoints

15-day free trial. No credit card required.

By submitting this form you agree to our terms of service.

Already have an account?