FireEye breach: State-sponsored attackers stole hacking tools

U.S. cybersecurity company FireEye has suffered a breach, and the attackers made off with the company’s RedTeam tools, FireEye CEO Kevin Mandia has disclosed on Tuesday.

FireEye breach

Who’s behind the FireEye breach?

“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” Mandia shared.

“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

The attackers’ discipline, operational security, and techniques point to it being a state-sponsored attack, thought Mandia refrained from saying or speculating about which nation-state might be behind it. (According to The New York Times, the lead suspects at this moment are Russian hackers.)

The attackers accessed and stole FireEye’s Red Team tools, which the company uses to probe other organizations’ security posture to help them improve it.

“The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. Many of the Red Team tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM,” the company shared.

“Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team.”

The attackers did not want just the tools – they also went after information related to FireEye’s government customers. But while they were able to access some of the company’s systems, Mandia said that they have seen no evidence of successful exfiltration of data related to incident response and consulting engagements or metadata collected by their products.

What now?

Microsoft and the FBI have been called in to help with the investigation of the FireEye breach.

They say that there is no indication that the attackers have started using the stolen tools or have leaked them.

Nevertheless, the company has created countermeasures – Snort, Yara, ClamAV rules – for detecting and/or blocking their use, shared them publicly for everyone to use, and implemented them into their own security products. They’ve also compiled a list of vulnerabilities that the tools take advantage of (none of them are “zero-days”).

What impact the breach will have on the company long-term remains to be seen. For the time being, its shares dropped 8% and they have a set of Red Team tools that can be easily foiled. Though this type of tool arsenal is continually expanded and modified, it will likely take them a while to “sharpen” it again.

Finally, though they are not the first cybersecurity company to have been breached, their reputation might suffer a hit, particularly because they are in the business of helping other organizations keep safe from cyber attackers.

The attackers, on the other hand, can consider this sortie a success: they’ve grabbed tools that they can use when they don’t want to “burn” the tools they’ve create themselves or make it obvious they are behind an attack, and they might have unearthed information that may aid in their future efforts.

Cyber defenders are now left waiting for more details about the “novel combination of techniques” used in the attack.

How attackers target and exploit Microsoft Exchange servers

Microsoft Exchange servers are an ideal target for attackers looking to burrow into enterprise networks, says Microsoft, as “they provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance.”

And while they are not the initial entrance point in the majority of cases, the company has witnessed lately a rise in attacks aimed at compromising Exchange servers by exploiting an unpatched flaw – more specifically CVE-2020-0688, a patch for which was released in February 2020.

While the attackers need to have compromised, valid email credentials to access the server before attempting to exploit the flaw, they are obviously succeeding in getting their hands on them. (Kevin Beaumont explained why that’s not much of a problem.)

“This is an attacker’s dream: directly landing on a server and, if the server has misconfigured access levels, gain system privileges,” the Microsoft Defender ATP Research Team noted. And, unfortunately, there are still too many internet-facing, unpatched Exchange servers out there.

The attack chain

According to Microsoft, April was the month when multiple campaigns began to target Exchange servers.

target Microsoft Exchange servers

After gaining access, the attackers proceeded to install web shells to allow them to control the server remotely, and then started exploring its environment for info on domain users and groups, other Exchange servers in the network, and mailboxes, as well as scanning for vulnerable machines on the network.

They achieved persistence on the compromised Exchange server by adding new user accounts and elevating their privileges, then proceeded extract credentials from the Security Account Manager (SAM) database, the Local Security Authority Subsystem Service (LSASS) memory, and the Domain Controler.

They used WMI (Windows Management Instrumentation) and PsExec (a Microsoft tool for running processes remotely) to achieve lateral movement, exported mailboxes via Exchange Management Shell commands, created a network architecture that would allow them to bypass network restrictions and remotely access machines through Remote Desktop Protocol (RDP) and, finally, they compressed the data and put it in a web-accessible path for easy pickup.

Mitigation and prevention

“As these attacks show, Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques,” the team noted.

The attackers are also trying to disable security tools like Microsoft Defender Antivirus, archive scanning and automatic updates to increase their stealth.

Aside from doing the best possible thing – implement the latest security updates as soon as they become available – admins are advised to:

  • Audit MS Exchange servers regularly for vulnerabilities, misconfigurations, and suspicious activity
  • Regularly review highly privileged groups and the list of users in sensitive roles for anomaliers (e.g., suspicious additions)
  • Practice the principle of least-privilege, maintain credential hygiene, and enable multi-factor authentication.

Microsoft naturally also touts its Microsoft Defender Advanced Threat Protection security platform as a means to add protection to Exchange servers, automatically block behaviors like credential theft and suspicious use of PsExec and WMI, prevent attackers from tampering with security services, and to prioritize alerts so that attacks are spotted before they can do much damage.

Money is still the root of most breaches

Verizon has released its annual Data Breach Investigations Report (DBIR), which offers an overview of the cyber security incidents and data breaches that happened in/were discovered in the past year.

Based on an analysis of incident and breach reports by 81 contributing organizations – companies, CERTs, law enforcement agencies and cybercrime units, etc. – from around the world, the DBIR offers insight into current cyber attack trends and the threats organizations in various industry verticals and parts of the world face.

2019 cyber attack trends: the “WHO”

The researchers analyzed 32,002 security incidents that resulted in the compromise of an information asset. Of those, 3,950 were data breaches, i.e., incidents that resulted in the confirmed disclosure of data to an unauthorized party.

The report is massive, so we’ll highlight some interesting tidbits and findings:

  • 70% of breaches perpetrated by external actors (except in the healthcare vertical, where it’s 51% external, 48% internal)
  • 86% of breaches were financially motivated
  • Organized criminal groups were behind 55% of breaches
  • 72% of breaches involved large business victims

2019 cyber attack trends

“This year’s DBIR has once again highlighted the principal motive for the vast majority of malicious data breaches: the pursuit of profit. This is surprising to some, given the extensive media coverage of national security-related breaches. However, it should not be. Most malicious cyber actors are not motivated by national security or geopolitical objectives, but rather by simple greed,” the data scientists who compiled the report noted.

“Financially motivated breaches are more common than Espionage by a wide margin, which itself is more common than all other motives (including Fun, Ideology and Grudge, the traditional ‘go to’ motives for movie hackers).”

2019 cyber attack trends: the “HOW”

The majority of data breaches (67% or more) are caused by credential theft, social attacks (phishing, business email compromise, pretexting) and errors (mostly misconfiguration and misdelivery of documents and email).

“These tactics prove effective for attackers, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts,” they advised.

Another interesting finding is that attacks on web apps were a part of 43% of breaches, which is more than double the results from last year. The researchers put this down to more workflows moving to cloud services and attackers adjusting to the shift.

“The most common methods of attacking web apps are using stolen or brute-forced credentials (over 80%) or exploiting vulnerabilities (less than 20%) in the web application to gain access to sensitive information,” they shared.

Less than 5% of breaches involved exploitation of a vulnerability, and it seems that most organizations are doing a good job at patching – at least at patching the assets they know about.

“Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defenses,” the authors pointed out.

Most malware is still delivered by email and the rest via web services. Attackers have mostly given up on cryptocurrency mining malware, RAM scrapers and malware with vulnerability exploits, but love password dumpers, malware that captures app data, ransomware and downloaders.

Even though it is a small percentage of all incidents, financially motivated social engineering is on the rise – and attackers have largely stopped asking for W-2 data of employees and switched to asking for the cash directly.

Cloud assets were involved in about 22% of breaches this year, while the rest were on-premises assets.

“Cloud breaches involved an email or web application server 73% of the time. Additionally, 77% of those cloud breaches also involved breached credentials. This is not so much an indictment of cloud security as it is an illustration of the trend of cybercriminals finding the quickest and easiest route to their victims,” they noted.

Use the information to improve defenses

An interesting finding that can be used by defenders to their advantage is that attackers prefer short paths to a data breach. Throwing things in their way to increase the number of actions they have to take is likely to decrease their chance of making off with the data.

Knowing which actions happen at the beginning, middle and end of incidents and breaches can also help defenders react quickly and with purpose.

2019 cyber attack trends

“Malware is rarely the first action in a breach because it obviously has to come from somewhere. Conversely, Social actions almost never end an attack. In the middle, we can see Hacking and Malware providing the glue that holds the breach together. And so, [another] defensive opportunity is to guess what you haven’t seen based on what you have,” the authors noted.

“For example, if you see malware, you need to look back in time for what you may have missed, but if you see a social action, look for where the attacker is going, not where they are. All in all, paths can be hard to wrap your head around, but once you do, they offer a valuable opportunity not just for understanding the attackers, but for planning your own defenses.”

What should organizations do to bolster their cyber security posture?

DBIR report author and Information Security Data Scientist Gabe Bassett advises organizations to keep doing what they are doing: anti-virus at the host, network, and proxy level plus patching and filtering (e.g., with firewalls) will help push the attackers towards other attacks.

“Address the human element. The top actions (phishing, use of stolen credentials, misconfiguration, misdelivery, and misuse) all involve people. No-one is perfect so find ways to set people up for success and be prepared to handle their mistakes,” he noted, and added that all organizations should have some level of security operations.

“You can’t make the defenses high enough, wide enough, deep enough, or long enough to keep an attacker out if you don’t have someone watching the wall. For large organizations this means having a dedicated security operations center. For smaller ones it may mean taking advantage of economies of scale, either by acquiring managed security services directly, or by using services (payment systems, cloud services, and other managed services that have security operations incorporated).

Finally, to add extra steps to attackers’ path and to deter all but the most persistent ones, they should use two factor authentication whenever possible.

Widely available ICS attack tools lower the barrier for attackers

The general availability of ICS-specific intrusion and attack tools is widening the pool of attackers capable of targeting operational technology (OT) networks and industrial control systems (ICS).

“As ICS are a distinct sub-domain to information and computer technology, successful intrusions and attacks against these systems often requires specialized knowledge, establishing a higher threshold for successful attacks. Since intrusion and attack tools are often developed by someone who already has the expertise, these tools can help threat actors bypass the need for gaining some of this expertise themselves, or it can help them gain the requisite knowledge more quickly,” FireEye researchers point out.

The tools can also come in handy to experienced actors who might want to conceal their identity or maximize their budget.

ICS attack tools: What’s out there?

The researchers have been tracking a large number of publicly available ICS-specific cyber operation tools for a while now, and here’s what they can tell us about them:

  • Most of them have been developed in the last ten years
  • Most tools are vendor agnostic
  • Not unexpectedly, developers mostly concentrate on creating tools to target the most widely used solutions by the largest ICS original equipment manufacturers such as Siemens, Schneider Electric, GE, ABB, Digi International, Rockwell Automation, and Wind River Systems.

Some tools are “standalone”, others come in the form of modules for popular exploitation frameworks.

Over half of the “standalone” tools are aimed at learning about ICS devices attached to a network and software exploitation tools:

ICS attack tools

To create some of the tools, such as ICS-specific malware and ransomware, creators have to have a high degree of knowledge about the target systems as well as coding skills – something that is out of reach for many aspiring attackers.

ICS-specific exploit modules

There is a variety of ICS-specific exploit modules for exploitation framework such as Metasploit (free), Core Impact and Immunity Canvas (both commercial), as well as more recent ICS-specific exploit frameworks: Autosploit, Industrial Exploitation Framework (ICSSPLOIT), and the Industrial Security Exploitation Framework.

“We currently track hundreds of ICS-specific exploit modules related to more than 500 total vulnerabilities, 71 percent of them being potential zero-days,” the researchers noted.

Of the three non-ICS-specific frameworks, Metasploit has the fewest number of ICS-specific exploits, but due to the fact that it’s freely available, these exploits may currently represent the highest danger for defenders.

They mostly target products by these vendors:

ICS attack tools

“Awareness about the proliferation of ICS cyber operation tools should serve as an important risk indicator of the evolving threat landscape,” the researchers noted.

“Organizations that do not pay attention to available ICS cyber operation tools risk becoming low-hanging fruit for both sophisticated and unexperienced threat actors exploring new capabilities.”

As malware and network attacks increase in 2019, zero day malware accounts for 50% of detections

Amid significant increases in both malware and network attacks, multiple Apache Struts vulnerabilities – including one used in the devastating Equifax data breach – appeared for the first time on WatchGuard’s list of most popular network attacks in Q3 2019.

network attacks 2019

Massive fallout from the Equifax breach

The report also highlights a major rise in zero day malware detections and, increasing use of Microsoft Office exploits and legitimate penetration testing tools.

Apache Struts 2 Remote Code Execution enables attackers to install Python or make a custom HTTP request to exploit the vulnerability with just a few lines of code and obtain shell access to an exposed system. This threat was accompanied by two additional Apache Struts vulnerabilities on the top ten network attacks list in Q3 2019, as overall network attacks increased in volume by 8%.

The massive fallout from the Equifax breach put the severity of this vulnerability on full display and should serve as a reminder of how important it is for web admins to patch known flaws as soon as possible.

“Our latest threat intelligence showcases the variability and sophistication of cybercriminals’ growing playbook. Not only are they leveraging notorious attacks, but they’re launching evasive malware campaigns and hijacking products, tools and domains we use every day,” said Corey Nachreiner, CTO, WatchGuard Technologies.

“As threat actors continue to modify their tactics, organizations of every size must protect themselves, their customers and their partners with a set of layered security services that cover everything from the core network to endpoints, to the users themselves.”

Attackers continue to favor Microsoft Office exploits

Two malware variants affecting Microsoft Office products made WatchGuard’s top ten list of malware by volume, as well as the top ten most-widespread malware list last quarter. This indicates that threat actors are doubling down on both the frequency with which they leverage Office-based attacks, as well as the number of victims they’re targeting.

Both attacks were primarily delivered via email, which highlights why organizations should increasingly focus on user training and education to help them identify phishing attempts and other attacks leveraging malicious attachments.

Zero day malware instances spike to 50%, as overall malware detections rise

After stabilizing at around 38% of all malware detections over the past several quarters, zero day malware accounted for half of all detections in Q3. The overall volume of malware detected increased by 4% compared to Q2 2019, with a massive 60% increase over Q3 2018.

The fact that half of malware attacks in Q3 were capable of bypassing traditional signature-based solutions illustrates the need for layered security services that can protect against advanced, ever-evolving threats.

Cybercriminals may be leveraging legitimate pentesting tools for attacks

Two new malware variants involving Kali Linux penetration testing tools debuted on WatchGuard’s top ten list of malware by volume in Q3. The first was Boxter, a PowerShell trojan used to download and install potentially unwanted programs onto a victim’s device without consent.

The second was Hacktool.JQ, which represents the only other authentication attack tool besides Mimikatz (which dropped in prevalence by 48% compared to Q2, and 16% compared to Q3 2018) to make the list.

It’s unclear whether the rise in these detections comes from legitimate pentesting activities or malicious attackers leveraging readily available open source tools. Organizations must continue to leverage anti-malware services to prevent data theft.

Malware attacks targeting the Americas increase drastically

More than 42% of all malware attacks in Q3 2019 were aimed at North, Central and South America; up from just 27% in Q2. This represents a significant geographic shift in focus for attackers compared to last quarter, as EMEA and APAC (which were tied for the top regional malware target in Q2) accounted for 30% and 28% of all malware attacks in Q3, respectively.

Although the specific motivations are unclear, this trend indicates attackers are bringing new malware campaigns online that specifically target users in the Americas region.

CrackQ: Efficient password cracking for pentesters and red teamers

CrackQ employs automation to make password cracking a faster and more efficient undertaking for pentesters and red teamers.

password cracking pentesters

CrackQ dashboard

“Regular security testing is a practice all organizations should incorporate into their overall security programs. Password cracking is an essential phase of a pentest/red team engagement and helps asses organizational security best practices,” Dan Turner, Principal Security Consultant at Trustwave SpiderLabs and author of CrackQ, told Help Net Security.

“But pentests and red teaming engagements have strict time constraints – whereas threat actors have unlimited time for targeting and tool calibration. Security professionals are at a testing disadvantage, and need advanced automation tools of their own.”

Password cracking for pentesters

CrackQ is an interface for the open source password recovery/cracking tool Hashcat. It is served by a REST API and a JavaScript front-end web application for ease of use.

“It is primarily a queuing system to manage password cracking for offensive security teams during red teaming and pentesting engagements,” Turner explained.

CrackQ supports SAML2 and LDAP authentication with MFA, uses a newly created analysis library (Pypal) and generates password analysis reports from the results of specific password cracking jobs (shows insecure password choices and patterns within an organization).

It is able to perform automated re-queuing on job failure, provides multi-user support, and it will use the Hashcat brain automatically when it’s effective to do so (i.e., when slow-speed algorithms are in play).

password cracking pentesters

Add job window with hash type search functionality

password cracking pentesters

Generate a report for a job from the complete queue

Plans for future development

The tool is currently in alpha and Turner hopes a community of developers will spring up and help develop it further.

Future releases will include additional automation, efficiency improvements, and more advanced cracking techniques, he told us.

It will include an autocrack option that automatically chooses efficient cracking techniques based on the type of password, hash algorithm and a chosen time period, as well as:

  • Additional techniques: PACK, Prince, Omen, PCFG
  • Automated queue manipulation for better efficiency
  • Automated background cracking of leak dumps with lower priority queues
  • Custom wordlist creation using a web/social media crawler.