FireEye recently disclosed a breach of their own systems by a nation state. The breach is presumably the work of Russian state actors and is being investigated by the FBI Russian specialists. The breach resulted in a set of proprietary “Red Team” tools used with FireEye’s Commando VM being stolen. Commando VM is a penetration testing tool purpose-built for exploiting Windows devices. The tool leverages a list of known vulnerabilities to gain network access and identify flaws in FireEye customers’ security.
What This Means for Your Organizational Security
A similar breach occurred in 2016 when the NSA disclosed the theft of a tranche of hacking tools by a yet unidentified organization known as the ShadowBrokers. The tools were used by North Korean and Russian actors in devastating attacks on government agencies, healthcare, and many large firms leading to more than $10 billion in damages. Although the NSA tools were likely more sophisticated than Commando VM, the FireEye breach is practically guaranteed to lead to breaches of other targets in the very near future. The custom tools for Commando VM are now in the wild and organizations must prepare.
FireEye Identifies 16 Vulnerabilities to Patch Now
As part of the disclosure, FireEye identified 16 vulnerabilities commonly used by the stolen version of the Commando VM tool that they recommend organizations prioritize and patch immediately.
The vulnerabilities disclosed cover a broad set of applications and common services found on Windows devices. Notably, there are vulnerabilities dating back as far as 2014 being actively targeted by FireEye’s proprietary tools for Commando VM. FireEye’s disclosure of these vulnerabilities commonly targeted by their internal tools is a huge help to the industry in minimizing the damage from the breach to other organizations.
|
CVE |
Description |
CVSS Score |
|
CVE-2019-11510 |
pre-auth arbitrary file reading from Pulse Secure SSL VPNs |
10.0 |
|
CVE-2020-1472 |
Microsoft Active Directory escalation of privileges |
10.0 |
|
CVE-2018-13379 |
pre-auth arbitrary file from Fortinet Fortigate SSL VPN |
9.8 |
|
CVE-2018-15961 |
RCE via Adobe ColdFusion |
9.8 |
|
CVE-2019-0604 |
RCE for Microsoft Sharepoint |
9.8 |
|
CVE-2019-0708 |
RCE of Windows Remote Desktop Services |
9.8 |
|
CVE-2019-11580 |
Atlassian Crowd Remote Code Execution |
9.8 |
|
CVE-2019-19781 |
RCE of Citrix Application Delivery Controller/Citrix Gateway |
9.8 |
|
CVE-2020-10189 |
RCE for ZoHo ManageEngine Desktop Central |
9.8 |
|
CVE-2014-1812 |
Windows Local Privilege Escalation |
9.0 |
|
CVE-2019-3398 |
Confluence Authenticated Remote Code Execution |
8.8 |
|
CVE-2020-0688 |
Remote Command Execution in Microsoft Exchange |
8.8 |
|
CVE-2016-0167 |
local privilege escalation on older versions of Windows |
7.8 |
|
CVE-2017-11774 |
RCE in Microsoft Outlook via crafted document (phishing) |
7.8 |
|
Microsoft Exchange Server escalation of privileges |
7.4 |
|
|
CVE-2019-8394 |
arbitrary pre-auth upload to ManageEngine ServiceDesk |
6.5 |
*This vulnerability can be addressed with a Worklet found on the Automox Community website here.
How to Reduce Your Exposure
Evaluate and understand your environment. The 16 disclosed target CVEs are an absolute minimum to understand your organization’s exposure to this breach. Identify any endpoints with these vulnerabilities immediately, and begin remediating them to minimize your attack surface and limit exposure to these sophisticated adversaries.
Additionally, ensure that you have full visibility of your environment. If you can’t see it, you can’t address it. According to a Ponemon study:
- 75% of companies are not keeping up with patching
- 63% of companies can’t monitor off network endpoints
- 48% of companies are dissatisfied with their current endpoint solution
- 21% of companies have no endpoint security solution
- 61% of companies want automation as part of their endpoint security
Finally, take the time to understand how many missing patches there are in your environment and bring those systems up to date. As the Ponemon study pointed out, three quarters of companies can’t keep up with patching. And nearly two thirds can’t manage remote endpoints. Even for those companies that have patching solutions, nearly half are not happy with the results they’re getting. Quickly patching known vulnerabilities can significantly reduce your attack surface. Despite this, many organizations fail to adequately update systems in a timely manner due to lack of automation or poor visibility.
Automox can automate your patch management, enabling you to take action and not just telling you what you need to do. This removes the time-consuming element of patch management by automating the entire process, from identifying missing patches to downloading and applying them on a schedule you control. This can reduce your time to patch by 90% or more and enable you to focus on other critical activities.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.
