Patch to mitigate stolen red team tools

1 minute read

When Fireeye were breached a few weeks ago one of the outcomes was their Red team toolsets were stolen. These tools had been developed inhouse to facilitate legitimate testing of clients systems and networks. Some of these tools used known and patchable vulnerabilities to exploit and gain access to systems. Part of Fireeyes excellent response to this breach was to release the signatures and mitigations to counter the stolen tools. Listed below are 16 patches that are available (some for many years) to make sure your systems are protected. It is only a mater of time before the tools will be used in anger by attackers.

If you have been through Cyber Essentials then you should have these already installed but it will not hurt to check.

  1. CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10.0
  2. CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 10.0
  3. CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8
  4. CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8
  5. CVE-2019-0604 – RCE for Microsoft Sharepoint - CVSS 9.8
  6. CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS) - CVSS 9.8
  7. CVE-2019-11580 - Atlassian Crowd Remote Code Execution - CVSS 9.8
  8. CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8
  9. CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8
  10. CVE-2014-1812 – Windows Local Privilege Escalation - CVSS 9.0
  11. CVE-2019-3398 – Confluence Authenticated Remote Code Execution - CVSS 8.8
  12. CVE-2020-0688 – Remote Command Execution in Microsoft Exchange - CVSS 8.8
  13. CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows - CVSS 7.8
  14. CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) - CVSS 7.8
  15. CVE-2018-8581 - Microsoft Exchange Server escalation of privileges - CVSS 7.4
  16. CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5

You can see more about these and other mitigations on Fireeye’s Github

If you would like a vulnerability assessment or cyber essentials plus assessment please contact us for more information and a quote

Stay safe, be well and make sure to wash your hands.