Fwd: Current Activities :Targeted attack on FireEye

cyber-attack which has resulted in the theft of their red-team /

penetration testing tools.The attack campaign is reportedly attributed to a

highly sophisticated actor employing novel techniques to gain

access.Details of tools stolen in this cyber breach are provided below:-

AdPassHunt:- credential stealer tool that hunts Active Directory

credentials.

590bd7609edf9ea8dab0b5fbc38393a870b329de

29385446751ddbca27c26c43015be7ab0d548b895531fba9b03d612e53bd9ff0

Beacon:- used for several goals, such as persistence, execution, privilege

escalation, credential dumping, lateral movement etc.

03a8efce7fcd5b459adf3426166b8bda56f8d8439c070b620bccb85a283295f4

e4dd5fc22ff3e9b0fa1f5b7b65fb5dfeac24aab741eee8a7af93f397b5720f4a

d011a846badec24a48a50d1ab50f57d356b9dd520408cbb3361182f6f0489a1e

0a566a0ddbaf9975221fe842b9b77c4a8b5d71bb2c33e0a46da26deec90dcbea

61cd1311d2e4663b86b5a70c2aafd5af6b247a6ebf407170296e37aaf8c69392

Beltalowda:- used for conducting variety of security-oriented checks on

victim machine.

d80b7a31d68b5f483073ff7af0984c1090f6a493f84db7d3a301e3e35fdb4a56

7b7cbb1a62faf7e7a9ee1d0254c5681779b61abd3c9763b6588857c14cccdd9b

8f991317f1473fa8af3c3d6ade2551ddac01425db6e7b0c718b81c324c43730d

1d841ff51f8b5b08d7b4752cd498108d4b3f82864257dbd8e35b097c766f9e24

29054e2cad080a61db11a61791206ea939cbf79abee71c44fa0e7603dd168840

dea11a5bc6ff271e40e477d1645bdeb19454bdd8eac077e598ca56ee885fc06e

b89158aeac0e98f7cc2a6c3040ad2f57093bdb9064eab2c585c1250d5efa850e

00d1726e2ba77c4bed66a6c5c7f1a743cf7bb480deff15f034d67cf72d558c83

5cacbf4e84027cb3c0ec55940dddee6f4d368aae778d635003cb3013b547ede0

bb939544ac109ca674ee9de4d8b292f9b117c9c676ddab61d15a6e219ad3986c

Rubeus, Fluffy:- used to Steal or Forge Kerberos Tickets.

8bebf19d54c749560301eaada2e92eb240501b8c

a729d51f3deff5065e4978df2f88517d26e0d5db542c9cf8501a4206d8d2432c

9758688dd18db6ec86c4835d9ba67b5e209c32c81981dc69d705670f8b95d5e6

0340043481091d92dcfb2c498aad3c0afca2fd208ef896f65af790cc147f8891

76faeb790d1c1aa5fd3473f86f602b371682415368ddd553ebc60eb3c7683f7f

0097d59dc02cbac14df25ef05fc6d75f835d1db68f760d71fa4a0a57d9960606

c74352729dd49829f5e398a7fc7dd033d9e4aba3d93162c4fbcbe394cc31c3d4

9c6a910a047e29e07b4015866dc05e00829b888a86d1d357ed49652a9b73f1b6

6c1829be1c49c04b956b431386c389a6bf83327a5e7e68ff453103820ad4464d

817867c23a7bf47e99c93201f99f5eb805396327765aa76338c5f9e0c89eac4a

65044ea9fea1e34042adf3ff5e5fb17fc021ba4b0775415fad2465558a782c5e

G2JS:- used for automating Microsoft Windows Script Host (WSH) scripts

weaponization.

dcce258cc818febe2b888c8eee42aa95393b2fb4f1f2406330840ab8ad5c7d50

A3a8dedf82741a1997b17a44fbb1e5712ba3a5db11146519cf39281def9329a7

eed9402cb6fdc047b12f67493ba10970155a00086918eaad9542ab24096cc715

398afc4c33e00b26466abb87668e33be766dbbf4c493fe04d180a14d14a32fa3

da3bdb6b9348a8d9328e669c744d0f21a83937c31894245e3157121342efe52c

cdabbe815b7aafa94469b97fa3665137c4d5b2da4fdd7648ba2851cf2df214fc

f8c8bb2ac03cc2a037ddde4ad175aa05aa80277483fcdac42627fbdcc36f64ba

fd2e546faed7426c448d1a11d8e1d4b8a06b5148c9c8dfa780338fac2ab53c5b

0b8eab0a1961c52c141ac058c11e070d724d600cf903f2457c8ed189e7aae047

117b9c9127beaf2e3ce7837c5e313084fd3926f1ebf1a77563149e08347cb029

InveighZero:- used for man in middle attack like LLMNR/NBT-NS Poisoning and

SMB Relay.

78fafeb22bf31de02a4b56114e86dcc3394e382658a5c95b1a302d3d8794718d

2728c46f4fcf62f3faee72be30f1dd75528391b0d70da302544f5282 d58c931b

715b415647f33937b39aa072001bfb9857a4bea884d009cbe0c27f1422b9f55b

452c6651e79d9f69a55e711c0b4d70eb2b1aaac206b8a274e45d22f9d7cafd2c

50c4f46e43d30c9520be35e294ef98d81f81d60602cd659367bbcf6a91766c0f

a66f3a9ddf9343aeed40276c1abfc485f089050074a03801cd9a16787a39c6bf

0c080548e15e7f377baed2a550d48a555e6150d969f7f4b8244c3b3a50afb858

KeeFarce:- used for extracting password from memory.

5ea9a04284157081bd5999e8be96dda8fac594ba72955adacb6fa48bdf866434

PuppyHound:- used as data collector.

23490f7ac40b6b15c228ed8f8e9122d460469aa4025ed7008660e4310ef7e70f

a7240d8a7aee872c08b915a58976a1ddee2ff5a8a679f78ec1c7 cf528f40deed

5fabe36fb1da700a1c418e184c2e5332fe2f8c575c6148bdac360f69f91be6c2

7b0a7e5d344f8ffa1a097cd9e658ecaa551fd84cfcc92a5fe46f9965661662cc

e9e646a9dba31a8e3debf4202ed34b0b22c483f1aca75ffa43e684cb417837fa

a07002c5d7712e751dfbcab1f05190793eb417b693b61f8ba0750fa15f88f61b

0d9fbc16c6f316d8ee1b9ff47b300c24a1964fdfc3990b680d05dab5e1905d9f

ee72671628902e2cd75fde74b7926355b39d1ab50be0aa8bc06e8f06344fc22c

36d4e69106bc8530d7923442d1929558b876f7f10545316623ae3db1b93ec584

e333444d815055181402f5fdbf60a62c4545e64f3e382c7685b47b7b5a6c27e8

SafetyKatz:- used for credential dumping.

2b3cab071ca6f104377a7684eb586150fdec11df2dc8cebcb468f57a82f10c73

89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed35 8c1a3b6ba9

3547d857af012c643a75bd3c1d3226c98e8181dc6e92872eb0746b26f6cc1a09

d1d3b00e8be37b30abfe2ff2aca90073ae517a27635a9fbb2e222981cf1ae817

796f70f7e01257c5b79e398851c836e915f6518e1e3ecd07bcd29233cf78f13d

bcf1857fe1eb566c0dbd032f7ec186bc1a31895861ac36887ad034501794fd00

4542ebba83ef6e16db6dc30383614bf52cb7c3f2fbd1577de10f02d6bf7dfc50

291a6968a3f7f2092c656d0275c604182d6f7ee7b813460aeb8b28c06d804b5e

b0a55532654bbfd0aafa59dfe26b576a095d9ac4a4af2f99bca442a1d87ce29b

27dd261ad7f3ad7d782625c2a459caf6ae81109ffe8f830b68b154f02d578658

Dtrim:- used as credential dumping, Process injection.

SharpZeroLogon:- used the exploit for the Zero logon vulnerability

(CVE-2020-1472) 

NoAmci:- used to bypass AMSI (Windows Antimalware Scan Interface)

detection. 

NetAssemblyInject:- used to inject C# .NET assemblies into arbitrary

Windows process. 

ImpacketObf:- used for working with network protocols. 

In addition to the red-team tools, the leaked list contains payload

exploits leveraging the listed below vulnerabilities:- 

CVE-2014-1812:- Privilege escalation in Microsoft Windows Vista SP2,

Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1,

and Windows Server 2012

CVE-2016-0167:- Privilege escalation in Microsoft Windows

CVE-2017-11774: Remote Code Execution in Microsoft Outlook 

CVE-2018- 13379:- Pre-authorization Arbitrary File Read in Fortigate SSL

VPN 

CVE-2018-15961:- Remote Code Execution in Adobe ColdFusion

CVE-2019-0604:- Remote Code Execution in Microsoft Share point

CVE-2019-0708:- Remote Code Execution in Windows Remote Desktop Services

(RDS)

CVE-2019-11580:- Remote Code Execution in Atlassian Crowd 

CVE-2019-19781:- Remote Code Execution in Citrix Application Delivery

Controller and Citrix Gateway

CVE-2019-3398:- Authenticated Remote Code Execution in Confluence

CVE-2019-8394:- Pre-authorization Arbitrary File Upload in ZoHo Manage

Engine Service Desk Plus

CVE-2020-0688:- Remote Code Execution in Microsoft Exchange

CVE-2020-1472:- Privilege Escalation in Microsoft Active Directory

CVE-2018-8581:- Privilege Escalation in Microsoft Exchange Server

CVE-2020-10189:- Remote Code Execution in ZoHo Manage Engine Desktop

Central

Recommendations and Countermeasures

Assess systems against aforementioned vulnerabilities [using vulnerability

scanning and monitoring tools] and apply appropriate patches / upgrade to

recent stable versions.

FireEye also released a repository of signatures/rules designed to detect

the use of these tools across a variety of detection technologies-

including snort YARA, Open IOCs, ClamAV which could be used for assessing

the compromise system[s]. 

Best practices

Practice good cyber hygiene; backup, update, whitelist applications, limit

privilege, and use multifactor authentication. Routinely audit

configuration and patch management programs

Deploy endpoint security tools on all endpoints; ensure they work and are

up to date. Systems and installed applications being fully patched and

updated

Deploy web and email filters on the network. Configure these devices to

scan for known bad domains, sources, and addresses; block these before

receiving and downloading messages. Scan all emails, attachments, and

downloads both on the host and at the mail gateway with a reputable

antivirus solution

Scan for and remove suspicious e-mail attachments; ensure the scanned

attachment is its "true file type" (i.e., the extension matches the file

header). Block attachments of file types: 

[exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf]

. 

Exercise caution when using removable media (e.g., USB thumb drives,

external drives, CDs, etc.). Ensure to Scan all software downloaded from

the Internet prior to executing.

Monitor network traffic for unexpected and unapproved protocols, especially

outbound to the internet (e.g., SSH, SMB, RDP).

Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure

installation and use of latest version of PowerShell, with enhanced logging

enabled. Script block logging, and transcription enabled. Send the

associated logs to a centralized log repository for monitoring and analysis

Enable Exploit Protection [Successor to EMET] that includes several client

side mitigation steps. Detailed configuration steps can be seen in

ft-defender-atp/enable-exploit-protection. Turn on attack surface reduction

rules, including rules that block credential theft, ransomware activity,

and suspicious use of PsExec and WMI.

To address malicious activity initiated through weaponized Office

documents, use rules that block advanced macro activity, executable

content, process creation, and process injection initiated by Office

applications. [To assess the impact of these rules, deploy them in audit

mode.]Turn on AMSI for Office VBA on Office 36

Utilize the Windows Defender Firewall and your network firewall to prevent

RPC and SMB communication among endpoints whenever possible. This limits

lateral movement as well as other attack activities.

References

- -fireeye-red-team-tools.html

- -team-tools

tilized-by-fireeye-red-team-tools