# Threat Brief: FireEye Red Team Tool Breach **[unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/](https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/)** Unit 42 December 11, 2020 By [Unit 42](https://unit42.paloaltonetworks.com/author/unit42/) December 10, 2020 at 9:10 PM [Category: Unit 42](https://unit42.paloaltonetworks.com/category/unit-42/) Tags: [FireEye breach,](https://unit42.paloaltonetworks.com/tag/fireeye-breach/) [threat brief](https://unit42.paloaltonetworks.com/tag/threat-brief/) This post is also available in: 日本語 [(Japanese)](https://unit42.paloaltonetworks.jp/fireeye-red-team-tool-breach/) ## Executive Summary On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, [reported a breach and data exfiltration unlike any that we have seen previously. What makes](https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html) this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security [consultations. FireEye’s blog provided a wealth of information for defenders to implement](https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html) security controls and mitigations for defense against the stolen tools. This data is being used by Palo Alto Networks to help ensure our customers are protected if the attackers choose to utilize the tools for malicious purposes. ----- It is important to note that these custom tools were not released into the wild, they were stolen by a sophisticated threat actor and we likely will not see a sudden widespread use of them. That being said, FireEye went beyond what was required – and what companies have [done in the past – in releasing detection techniques. Providing defenders access to the Yara](https://virustotal.github.io/yara/) [rules, indicators of compromise (IOCs), Snort signatures and other threat data is a class act](https://www.snort.org/) and very much appreciated by defenders and researchers at Palo Alto Networks – and surely across the industry as a whole. ## Protecting Our Customers Palo Alto Networks has been working diligently to ensure the protections released by FireEye are implemented in a timely manner. The [Github repository shared by FireEye](https://github.com/fireeye/red_team_tool_countermeasures) contains a list of rules and 16 vulnerability CVE identifiers. The vulnerabilities appear to have been included because sufficient protections against these can help limit the effectiveness of the red-team tools. Palo Alto Networks has ensured the protections within our products are either already in place or are being prioritized for the provided vulnerabilities and their exploitation. These vulnerabilities range from a wide variety of products, and as always, we highly recommend our customers stay current with their updates and patch all vulnerable software. The Github repository that provided the protections also contains rules for direct product implementation as well as hunting. Palo Alto Networks is analyzing the efficacy of and applying all stable rules to our respective products. Gap analysis and threat hunting leveraging the FireEye-provided Yara and Snort signatures have enabled Palo Alto Networks researchers to identify potential malware samples that we are now tagging, analyzing, [tracking and building protections around within WildFire. Continual verdict efficacy checks of](https://www.paloaltonetworks.com/products/secure-the-network/wildfire) identified malware samples is ongoing within Palo Alto Networks products. Customers [leveraging the Palo Alto Networks AutoFocus tool can track initially identified samples and](https://www.paloaltonetworks.com/cortex/autofocus) [tools under the Fireye_RedTeam_Tools,](https://autofocus.paloaltonetworks.com/#/tag/Unit42.FireEye_RedTeam_Tools) [Rubeus,](https://autofocus.paloaltonetworks.com/#/tag/Unit42.Rubeus) [AndrewSpecial,](https://autofocus.paloaltonetworks.com/#/tag/Unit42.AndrewSpecial) [KeeFarce,](https://autofocus.paloaltonetworks.com/#/tag/Unit42.KeeFarce) [SafetyKatz,](https://autofocus.paloaltonetworks.com/#/tag/Unit42.SafetyKatz) [InveighZero,](https://autofocus.paloaltonetworks.com/#/tag/Unit42.InveighZero) [GadgetToJScript,](https://autofocus.paloaltonetworks.com/#/tag/Unit42.GadgetToJScript) [SeatBelt,](https://autofocus.paloaltonetworks.com/#/tag/Unit42.SeatBelt) [RuralBishop,](https://autofocus.paloaltonetworks.com/#/tag/Unit42.RuralBishop) [SharpView, and](https://autofocus.paloaltonetworks.com/#/tag/Unit42.SharpView) [SharpZeroLogon](https://autofocus.paloaltonetworks.com/#/tag/Unit42.SharpZeroLogon) tags. Our Cortex [XDR Managed Threat Hunting Team (MTH) has proactively searched all](https://www.paloaltonetworks.com/cortex/managed-threat-hunting) Cortex XDR Pro customer logs to identify potentially impacted organizations and provide them an assessment of their risk. [Cortex XDR customers are protected using the product’s WildFire integration as well as](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-security-concepts/endpoint-protection-modules.html) through Local Analysis, the Password theft prevention module, and the behavioral threat protection (BTP) engine. In addition, multiple Behavioural Indicators of Compromise (BIOCs) are available in XDR Server to detect malicious techniques exhibited by the stolen tools. [Threat Prevention provides protection against command and control beacons and](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/threat-prevention) exploitation of network vulnerabilities used by the stolen tools. The following table provides an overview of the mapping between Palo Alto Networks Universal Threat IDs (UTIDs) and the provided FireEye SIDs. ----- **Snort Rule** **PANW UTID** **FireEye SID** Backdoor.HTTP.BEACON.[CSBundle Original Stager] 86215 25879 Backdoor.HTTP.BEACON.[CSBundle MSOffice POST] 86216 25889 Backdoor.HTTP.BEACON.[CSBundle USAToday GET] 86217 25892 Backdoor.HTTP.BEACON.[CSBundle MSOffice Server] 86219 25888 Backdoor.HTTP.BEACON.[CSBundle Original GET] 86220 25877 Backdoor.HTTP.GORAT.[Build ID] 86221 25850 Backdoor.HTTP.BEACON.[CSBundle Original POST] 86222 25878 Backdoor.HTTP.GORAT.[SID1] 86223 25848 Backdoor.HTTP.BEACON.[CSBundle Original Server] 86225 25874 Backdoor.HTTP.BEACON.[CSBundle Original Server 3] 86227 25876 _Table 1. PANW UTIDs to FYE Signature Mapping_ **CVE** **PANW UTID** CVE-2019-0708 55815 CVE-2017-11774 56002 CVE-2018-15961 38319 CVE-2019-19781 57570, 57497 and 57625 CVE-2019-3398 55567 CVE-2019-11580 56036 CVE-2018-13379 56365 CVE-2020-0688 57947 and 57766 CVE-2019-11510 56280 CVE-2019-0604 55411, 57462 and 56363 CVE-2020-10189 57801 CVE-2019-8394 59061 CVE-2020-1472 59336 CVE-2018-8581 55152 ----- CVE-2016-0167 392102205 CVE-2014-1812 90128 _Table 2: CVE to UTID Mapping_ ## Conclusion The protections in place for our customers are continually being updated for this breach and for all threats that are identified in the wild. Palo Alto Networks appreciates the information disclosure from FireEye, but we also want to emphasize that at the time this report is published, the tools, hashes of the tools and associated samples have not been disclosed to the public. From the perspective of Palo Alto Networks security researchers, the biggest threat from this breach is the actor and the techniques they were able to utilize in order to infiltrate the FireEye infrastructure. Currently, there has not been any information released on the breach or the threat actor’s tactics, techniques, and procedures (TTPs). Customers should know that Palo Alto Networks researchers are working diligently to ensure protections are in place for our entire product ecosystem. **Get updates from** **Palo Alto** **Networks!** Sign up to receive the latest news, cyber threat intelligence and research from us [By submitting this form, you agree to our Terms of Use and acknowledge our Privacy](https://www.paloaltonetworks.com/legal-notices/terms-of-use) Statement. -----