On December 8, the top US security company FireEye issued a notice stating that its internal network was breached by a “country with first-class cyber attack capabilities”. This attack led to FireEye’s red team security tool Stolen .
The difference between this attack and the past is that after invading FireEye, the attacker did not perform routine operations such as blackmail or data leakage, but directly stole the security toolkit . And such an attack will have a more serious impact, and the damage will affect FireEye’s customers and downstream manufacturers, which is already in the scope of supply chain attacks .
Here we boldly speculate that FireEye’s security incident may have affected its customers or downstream . The entire incident may be: FireEye’s customer first discovered that it was attacked by FireEye’s tools, and it was speculated that the suspected tool was leaked. Then feedback to FireEye, FireEye then urgently investigated and responded, and finally announced the defense strategy (including firewall strategy).
Know that Chuangyu 404 Lab followed up on this security incident in time and analyzed some of the vulnerabilities contained in the FireEye Red Team Toolkit, as follows:
Vulnerability Name: Microsoft Windows Group Policy Preference Password Elevation of Privilege Vulnerability
CVE Number: CVE-2014-1812
Vulnerability description: An elevation of privilege vulnerability exists in the way that Windows Active Directory distributes passwords configured using Group Policy preferences. An authenticated attacker could use this vulnerability to decrypt passwords and use them to elevate privileges on the domain. Windows Vista SP2, Windows Server 2008 SP2 and R2SP1, Windows7 SP1, Windows8, Windows8.1, Windows Server 2012Gold and R2 are affected.
Vulnerability name: Windows RDP remote code execution high-risk vulnerability (BlueKeep)
CVE Number: CVE-2019-0708
Vulnerability description: BlueKeep (CVE-2019-0708) is a high-risk remote code execution vulnerability in Microsoft’s Remote Desktop Protocol (RDP). This vulnerability has already been published in Metasploit scripts.
Vulnerability name: Microsoft Outlook security function bypass vulnerability
CVE Number: CVE-2017-11774
Vulnerability description: When Microsoft Outlook incorrectly handles objects in memory, a security function bypass vulnerability exists. An attacker who successfully exploited this vulnerability could execute arbitrary commands. In a file sharing attack scenario, the attacker may provide a specially designed document file designed to exploit this vulnerability, and then trick the user to open the document file and interact with the document.
Note: This vulnerability can be used as a phishing attack.
Vulnerability name: Adobe ColdFusion file upload leads to arbitrary code execution
CVE number: CVE-2018-15961
Vulnerability description: This vulnerability is an arbitrary file upload vulnerability. Attackers can upload jsp files to achieve code execution.
Vulnerability name: Citrix Application Delivery Controller and Citrix Gateway remote code execution vulnerability
CVE Number: CVE-2019-19781
Vulnerability description: This vulnerability allows remote attackers to easily send directory traversal requests to read sensitive information from system configuration files without requiring user authentication and remote execution of arbitrary code.
Vulnerability name: Confluence path traversal vulnerability
CVE number: CVE-2019-3398
Vulnerability description: Confluence Server and Data Center products have a path traversal vulnerability in downloadallattachments resources. An attacker with one of the following permissions can upload files to any directory on the server to achieve remote code execution:
- Add attachments to pages or blogs
- Able to create new space (space)
- Have Admin permission for a space
Vulnerability name: Atlassian Crowd unauthorized file upload vulnerability
CVE Number: CVE-2019-11580
Vulnerability description: The vulnerability is caused by the Crowd pdkinstall plugin allowing unauthorized uploads. Attackers can upload malicious plugins and execute commands through the plugins.
Vulnerability name: Fortigate SSL VPN unauthorized RCE and other vulnerabilities
CVE Number: CVE-2018-13379
Vulnerability description: On blackhat2019, Orange and Meh Chang of the Security Research Institute disclosed multiple vulnerabilities in Fortinet’s SSL VPN, including CVE-2018-13379. Attackers can use this vulnerability to read arbitrary files.
Vulnerability name: Microsoft Exchange Server remote command execution vulnerability
CVE Number: CVE-2020-0688
Vulnerability description: An attacker can deceive the target server to generate malicious serialized ViewState data after logging in, thereby exploiting the features of .net deserialization to execute arbitrary .net code on the Exchange Control Panel web application.
Vulnerability name: Pulse Secure SSL VPN unauthorized arbitrary file reading vulnerability
CVE Number: CVE-2019-11510
Vulnerability description: On blackhat2019, Orange and Meh Chang of the Security Research Institute disclosed multiple SSL VPN vulnerabilities, including multiple vulnerabilities in Pulse Secure. CVE-2019-11510 is an arbitrary file reading vulnerability.
Vulnerability name: Microsoft SharePoint remote code execution vulnerability
CVE Number: CVE-2019-0604
Vulnerability description: This vulnerability can cause remote command execution of the windows system server, which may completely control the server. The attacker can pass the carefully constructed request through the ItemPickerWebForm control into the back-end EntityInstanceIdEncoder.DecodeEntityInstanceId(encodedId) method, because the method does not perform any processing on the encodedId passed in, nor does it perform any processing on the type parameter of the XmlSerializer constructor Restrictions, can be directly deserialized through XmlSerializer, causing command execution.
Vulnerability name: Zoho ManageEngine Desktop Central remote code execution vulnerability
CVE Number: CVE-2020-10189
Vulnerability description: Zoho ManageEngine Desktop Central deserializes malicious data when processing the getChartImage function of the FileStorage class, leading to remote code execution.
Vulnerability name: Zoho ManageEngine ServiceDesk Plus arbitrary file upload vulnerability
CVE Number: CVE-2019-8394
Vulnerability description: Before the 10.0 build 10012 version of Zoho ManageEngine ServiceDesk Plus, there is an arbitrary file upload vulnerability. Attackers can upload jsp files to implement code execution.
Vulnerability name: Windows Netlogon remote protocol privilege escalation vulnerability
CVE Number: CVE-2020-1472
Vulnerability description: On September 11, 2020, thirty days after Microsoft released the patch, Secura security researchers published a blog called “Zerologon: instantlybecomedomainadminbysubvertingNetlogoncryptography”. The blog gives a white paper that details the exploitation process of the CVE-2020-1472 vulnerability. Using this vulnerability, an unauthenticated attacker can connect to the domain control server through the Netlogon remote protocol (MS-NRPC) to obtain domain administrator rights.
Vulnerability Name: Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE Number: CVE-2018-8581
Vulnerability description: An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could try to impersonate any other user of the Exchange server. It can complete the entrusted takeover of the mailbox inbox of other users (including domain administrators) after having a common authority mailbox account password.
Note: This is a horizontal penetration and privilege escalation vulnerability at the mailbox level.