FireEyes’ latest breach leads to Red Team Tools exfiltration
In response to the events reported by FireEye, we would like to give you a quick update of what is being done on Cynet’s side to protect its customers against these types of threats.
Regarding the recent news stories about FireEye becoming a victim to a security breach, further read can be found here: https://www.zdnet.com/article/fireeye-one-of-the-worlds-largest-security-firms-discloses-security-breach/
FireEye claims that the company was victimized by a “highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack”. It is yet unclear what was the purpose of the breach, but it’s probable to believe that since FireEye is a major US Government contractor, the attack was aimed at accessing high-profile customers’ information.
During the breach, Red Team tools, developed by FireEye for internal use, were stolen.
As a result, FireEye released Snort, Yara, ClamAV and HXIOC (https://github.com/fireeye/red_team_tool_countermeasures) rules for detecting these Red Team tools in case they would be further published by the hackers and used in a malicious manner.
Even though the stolen Red Team tools were not publicly published, we are currently working with the CyOps and Research teams to implement and incorporate the detections published by FireEye as well as other IOCs from different feeds to make sure they will be detected in your environments.
In addition, some of these tools exploit old vulnerabilities which are already patched in your environment and are already detected by Cynet.
Cynet XDR has implemented several detections and IOCs to and as more information will be published regarding these tools, new detections will be added and improved over time.