Background
On Dec 8, 2020, FireEye released a public disclosure that the company had suffered a data breach involving a nation-state actor. More details about this disclosure can be found here and here. The adversary was able to steal several red team tools developed by FireEye during this attack. As part of the disclosure, FireEye also released IOCs and signatures for detecting abuse of these red team tools in the wild. In this coverage advisory, we will provide details about Zscaler’s coverage for these IOCs.
What is the issue?
The red team tools that were stolen as part of this breach were internally developed by FireEye to test its customers’ security. These tools exhibit behavior similar to many known cyberthreat actors and do not contain any zero-day exploits or unknown techniques. According to FireEye, these tools utilize well-known/documented methods that are used by other red teams and they do not assist in greatly advancing an attacker’s overall capabilities. Many of these tools are exploiting several known Remote Code Execution (RCE) vulnerabilities across different products commonly found in enterprise networks such as legacy VPN products and several Microsoft applications. A full list of CVEs can be found here.
Regardless of whether these tools may or not be abused by an adversary in the future, it is important to ensure detection for any usage of these tools and minimize the potential damage.
What can you do to protect yourself?
Ensure that your users always have the Zscaler Client Connector running to ensure coverage against these exploits.
We highly recommend ensuring you have the latest security updates installed for the products affected by these CVEs.
It is equally important to have updated security software.
Remote Desktop service access should always be restricted, or it should be turned off if not in use.
As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources.
Disable macros in Microsoft Office applications. Do not enable them unless it is essential to do so.
Enable multi-factor authentication (MFA) across both business and personal email accounts to thwart most credential-harvesting attacks.
Zscaler coverage
Zscaler leveraged the details on the countermeasures published by FireEye and validated that protection is already available for the majority of the vulnerabilities listed. Enhanced protection has been added wherever necessary across multiple layers of the Zscaler security platform. Below are the threat names of the existing detections:
Advanced threat protection
Win32.Exploit.CVE-2016-0167
Win32.Exploit.CVE-2017-11774
HTML.Exploit.CVE-2018-13379
HTML.Exploit.CVE-2018-15961
Win32.Exploit.CVE-2019-0604
Win32.Exploit.CVE-2019-0708
HTML.Exploit.CVE-2020-11510
HTML.Exploit.CVE-2020-11580
Linux.Exploit.CVE-2019-19781
HTML.Exploit.CVE-2019-8394
Win32.Exploit.CVE-2020-0688
HTML.Exploit.CVE-2020-10189
Win64.Exploit.CVE-2020-1472
Win32.Exploit.CVE-2020-1472
Win32.Backdoor.GoRAT
VBS.Dropper.DNSExfiltration
Win64.Backdoor.CobaltStrike
Win32.Backdoor.BEACON
Malware protection
Win32.Trojan.Heracles
Win32.Trojan.LodKatz
Win32.Trojan.Razy
Win32.Trojan.Usru
Win32.Downloader.CobaltStrike
Full list of threat names can be seen here.
Details related to these threat signatures can be found in the Zscaler Threat Library.
Advanced Cloud Sandbox
We have ensured that Zscaler Cloud Sandbox flags these red team tools. As always, Cloud Sandbox plays a critical role in blocking any custom variants that may be developed from these stolen tools.
The Zscaler ThreatLabZ team is also actively monitoring abuse attempts involving these red team tools and will ensure coverage for newer IOCs as they are discovered.
↧