FireEye is an IT security company focusing on providing security products and services to its customers. On December 8th, 2020, FireEye made an on their company blog reporting the theft of their red team assessment tool. The attack has become the talk of the month in the security community. This is the first time a group of hackers has carried out an operation at this level of sophistication and success.
Who poked into FireEye and what happened?
The hacker group called Cozy Bear or APT29 has a history of stealing US government data and disrupting the US presidential elections of 2016. The same group broke into FireEye’s perimeter and stole their red team tool. This attack is suspected to be state-sponsored considering the level of sophistication.
A red team is a group of authorized offensive attackers who attack and expose flaws in their customers’ security posture. The blue team at the customers’ side then fix the flaws to strengthen security. The stolen tool aids in scanning and detecting risks in the environment.
The stolen tools contain technologies ranging from simple scripts for automated reconnaissance to huge frameworks similar to other red team tools. FireEye immediately reported the crime to the FBI and other partners including Microsoft. Investigations clearly showed the red team tools were stolen, but investigators are still not sure about what else was stolen during the breach.
The fact that clearly shows the attack was highly sophisticated is when FireEye announced that the tool did not have any zero-day vulnerabilities. Moreover, Kevin Mandia, the CEO of FireEye said “Based on my 25 years in cybersecurity and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years”.
Current and expected global impact
The CEO of FireEye said the attackers went on a hacking spree infiltrating government entities specifically. However, FireEye confirmed that the attackers did not steal any customer data or threat intelligence stored in their products.
A compared the attack to the Shadowbrokers group who exposed the vulnerabilities that eventually resulted in hackers crafting the great attack of 2017. Similarly, the compromise of a security tool shows signs of hackers analyzing and adopting new methods to unleash multiple attacks on organizations.
FireEye still doesn’t know if the hackers may release the tool publicly or use it themselves to unleash attacks. Since the tool does not have any zero-day vulnerabilities, the customers of FireEye are not at high risk, but people who are not customers of FireEye are in trouble. The tool may point out risks that are not in the purview of non-customers.
Recommendations to the community
FireEye made a swift move on their part to help the security community as soon as possible. Hackers may use the red team tools to detect vulnerabilities in an environment ready to be exploited. FireEye realized this and to detect when the tool is used to craft an attack. 16 vulnerabilities and indicators of attack (IOCs) have been notified by FireEye through GitHub to detect a potential attack resulting from the tool.
If there is a red pill for risk-based security, it would show that anyone can be attacked. Security teams cannot eliminate every possible risk in a network and prevent attacks. But they can definitely work to curb the risks and reduce the probability of an attack to a great extent.
A well-designed vulnerability management tool can help reduce security risks and secure your organization from cyber-attacks exploiting the vulnerabilities lurking in endpoints. leverages over 100,000+ vulnerability checks to scan and detect vulnerabilities in devices running on Windows, Mac, and Linux devices. Try out SanerNow and see how it can reduce risks in all your endpoints.