Chris Roberts

Last week, news broke that a sophisticated adversary penetrated FireEye’s network and stole the company’s Red Team assessment tools. The attack is reportedly linked to a larger supply-chain assault that struck government, consulting, technology, and telecom organizations throughout North America, Europe, Asia, and the Middle East. 

To get an idea of what this stolen toolset is capable of, you can look at the prioritized list of CVEs FireEye recommends organizations address immediately– in essence, the list of known vulnerabilities that FireEye (and now any adversary with their tools) can easily take advantage of. Based on the list, everything from Citrix, to Terminal Services, to Microsoft Exchange, to Windows endpoints, to Microsoft Outlook are at risk. Particularly alarming near the top of the prioritized list is a NETLOGON vulnerability that results in a Microsoft Active Directory escalation of privileges giving the attacker domain administrator access. Should an attacker utilize this particular vulnerability, given the nature of Active Directory, the privilege gained could facilitate access to anything in your network. 

According to reports, the adversary compromised FireEye among other targets such as the U.S. Treasury and the Department of Commerce, with “trojanized” updates for SolarWinds, a technology vendor that helps the federal government and Fortune 500 companies monitor the health of their IT networks. The updates distributed malware that FireEye dubbed SUNBURST. This latest supply-chain attack has rattled the IT community, and rightly so considering SolarWinds’ large customer base. In SEC documents filed December 14, SolarWinds said that 18,000 customers have installed the malware-laced update. The story is still unfolding, and the extent of the damage remains unknown.

In an Al Jazeera interview that same morning, Richard Stiennon, Chief Research Analyst at IT-Harvest, likened the supply-chain attack to NotPetya, which similarly spread by disguising itself as a legitimate software update. NotPetya is easily the most destructive cyberattack to date, wreaking $10 billion in total damages in 2017, according to White House officials. Like many high-profile companies impacted by NotPetya, the world’s largest shipping firm, Maersk, spent over a week manually recovering its Active Directory.



Active Directory is in the Attackers’ Crosshairs 

First off, the industry agrees that FireEye has responded very well to the incident by being extremely transparent about the stolen Red Team tools, which contain custom scripts, some publicly available hacking tools, and some custom-developed toolsets.  

According to FireEye, there are no zero-day exploits within the tools, so every CVE mentioned has patches available. But that’s no guarantee that every system, application, and platform affected by the list is updated. Take note of the list and ensure that your environment is up to date. 

There are a few lessons to be learned proactively from this story:  

1. Cyberattacks increasingly exploit supply-chain weaknesses as an effective method of distributing malware for widespread impact.  

2. The bad guys are looking beyond “spray and pray” breach campaigns and starting to get extremely targeted, attacking the good guys and taking advantage of any intellectual property (in this case, internal hacking tools) to get the upper hand. 

3. If an organization like FireEye, which is solely focused on cybersecurity, isn’t completely safe from attack, neither is your organization. 

4. Sophisticated automated toolsets can easily reach the hands of a novice attacker, making them just as dangerous an adversary as someone with years of Red Team experience. 

5. Windows and Active Directory are key targets of modern-day cyberattacks. The centralized nature of the access made available to user accounts with elevated privileges makes Active Directory the perfect cyberattack focus. Therefore, organizations must keep a watchful eye on changes made to Active Directory, even putting measures in place to continuously monitor for indicators of exposure, prevent changes that would further elevate access to other parts of your environment, and be prepared to recover from ransomware and other data integrity attacks.  

While the FireEye attack doesn’t represent the release of never-before-seen tools or exploits, it does highlight the importance of keeping your environment patched against known vulnerabilities, and the critical role Active Directory plays in today’s cyberattacks. As the gatekeeper to critical applications and data, Active Directory has become a prime target for widespread attacks that have crippled businesses in recent years. By understanding what the bad guys are focusing on, you should be looking to modify your security strategy to build up your protective stance around those parts of the environment that are valuable to attackers.   

 Given the scale of the supply-chain attack on SolarWinds and subsequent breaches of government agencies and high-profile companies, we’ll likely see more victims make disclosures in the days to come. If you have any questions about securing your Active Directory against FireEye’s published list of vulnerabilities or any attacks in the wild for that matter, please don’t hesitate to contact the folks at Semperis.