More Related Content Similar to Ivanti Insights Podcast - FireEye Breach (20) Ivanti Insights Podcast - FireEye Breach1. Copyright © 2020 Ivanti. All rights reserved.Copyright © 2020 Ivanti. All rights reserved.
Chris Goettl / Phil Richards
Hosted by Adrian Vernon
DECEMBER 16, 2020
FireEye Breach Investigation
Uncovers Much Larger SolarWinds
Breach
2. Copyright © 2020 Ivanti. All rights reserved.
Situation Analysis Recommendations
Exploit Type:
Exposure: Attack Vectors:Impact:
Vendor Risk Management
Endpoint Detection and Response
FireEye is an organization well equipped to investigate a security breach. It is
no surprise that the cybersecurity firm quickly found how the attackers gained
entry and what they compromised. The scope of the true incident is surprising.
The source of the attack was found to be a backdoor introduced into
SolarWinds Orion which may have been downloaded by as many as 18,000
entities globally.
Ransomware
FireEye Breach Part of a Larger Incident
25
Confirmed
entities
victimized by
SolarWinds
backdoor
Data Theft SolarWinds Orion
Trojan
Continuous Vulnerability Management
Red Team Exercises
Emergency Response Planning
Data Protection
3. Copyright © 2020 Ivanti. All rights reserved.
1.CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10.0
2.CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 10.0
3.CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8
4.CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8
5.CVE-2019-0604 – RCE for Microsoft Sharepoint - CVSS 9.8
6.CVE-2019-0708 – RCE of Windows Remote Desktop Services (RDS) - CVSS 9.8
7.CVE-2019-11580 - Atlassian Crowd Remote Code Execution - CVSS 9.8
8.CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8
9.CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8
10.CVE-2014-1812 – Windows Local Privilege Escalation - CVSS 9.0
11.CVE-2019-3398 – Confluence Authenticated Remote Code Execution - CVSS 8.8
12.CVE-2020-0688 – Remote Command Execution in Microsoft Exchange - CVSS 8.8
13.CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows - CVSS 7.8
14.CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) - CVSS 7.8
15.CVE-2018-8581 - Microsoft Exchange Server escalation of privileges - CVSS 7.4
16.CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5
What was stolen from FireEye?
4. Copyright © 2020 Ivanti. All rights reserved.
If a top cybersecurity firm can be
breached what chance do we stand?
• First and most important, there is no 100% in cybersecurity. There is always going to be the
next threat, the next exploit, the next zero day.
• FireEye and SolarWinds were targeted by a well-funded, sophisticated, and persistent nation
state threat actor with top-tier offensive capabilities.
A strong cybersecurity program:
• is about identifying and mitigating risk.
• understands that no defense is perfect, and uses defense in depth.
• assumes incidents will occur and plans to respond.
• is always evolving and adapting based on real world attacks and information.
• uses well-known security frameworks
5. Copyright © 2020 Ivanti. All rights reserved.
Prioritizing for 2021
• FireEye Breach CVE List
• NSA Top 25 CVEs targeted by Chinese State-Sponsored Actors
• DHS CISA Top 10 Routinely Exploited Vulnerabilities
• Gartner Top 10 Security Projects for 2021
• Coveware Ransomware Trends
• Verizon Data Breach Investigations Report
Footer
6. Copyright © 2020 Ivanti. All rights reserved.
See you in January, 2021 as we launch the Ivanti Insights podcast series!
Thank You!