Considering the many digital attacks we’ve seen in the last years, it’s safe to say no company or governmental agency has a foolproof strategy for dealing with hackers. No matter how well you think you’re protecting your websites, servers, and other Internet-connected devices, intrepid hackers will always hunt for a way in. Recent research from Google’s Project Zero team has revealed that even a product that’s supposed to protect companies from hackers was found vulnerable to a potential threat.
Essentially, Project Zero hackers discovered they were able to penetrate the safety of a company using FireEye networking equipment with the help of a single email that would be sent to that organization. The email doesn’t even have to be read by the recipient for hackers to gain entry inside the network.
FireEye has been immediately notified by the issue, Ars Technica reports. The company has since fixed it in subsequent patches. It’s not clear at this time whether any other people out there managed to figure out the same trick Google used to attack FireEye products, or whether any company using FireEye’s equipment was harmed.
The FireEye products in questions are devices that are supposed to run antivirus software. Therefore, they’re deployed on the outer edge of networks to offer protection before malware and viruses reach company servers and computers. The devices continuously scan web traffic, monitoring it for threats. That’s where Google’s hackers managed to find a way in.
“For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario,” Google explained. “This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap – the recipient wouldn’t even have to read the email, just receiving it would be enough.”
“A network tap is one of the most privileged machines on the network, with access to employee’s email, passwords, downloads, browsing history, confidential attachments, everything. In some deployment configurations an attacker could tamper with traffic, inserting backdoors or worse. Because FireEye devices typically have a secondary Internet-connected interface for updates and management, the issue could even be wormable across the internet.
After reverse-engineering FireEye’s NX, EX, AX, and FX series of products, Project Zero researchers Tavis Ormandy and Natalie Silvanovich found a way to trick them into running code that’s included in the data that passes through it.
That means the device would read and execute the code the moment the email containing it passes through, regardless of whether the recipient would even consider opening that email.
“An attacker can send an email to a user or get them to click a link, and completely compromise one of the most privileged machines on the network,” Google explained in a post on Tuesday. “This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating Internet worms.”
Meanwhile, FireEye fixed the issue on its end.
“We released an automated remediation to customers just 6 hours after notification, mitigating any customer exposure by Saturday morning, December 5th and released a full, automated fix on Monday, December 7th,” the company said. “In addition, we will be releasing a fix to support our out-of-contract customers.”said. “In addition, we will be releasing a fix to support our out-of-contract customers.”
In case you’re using one of these FireEye products, you should make sure they’re running content release 427.334 or higher, so they can’t be targeted by this newly discovered threat.