FireEye Red Team tools have been stolen
FireEye, one of the world's leading cybersecurity companies dedicated to vulnerability analysis and prevention, has reported being the victim of a cyberattack through which its Red Team pentesting tools were stolen.
The cybercriminal, a highly sophisticated threat actor, has gotten to steal data ranging from simple scripts to entire frameworks similar to CobaltStrike and Metasploit. There are no 0-Day exploits among the above, nor been any leakage of client data.
In response to this incident, FireEye has issued over 300 countermeasures to protect its clients from stolen Red Team tools, and has also shared them with partners and government agencies to limit their ability to exploit them.
At present, there is no evidence that the stolen tools have been distributed or used, and a monitoring is maintained.
[Update 12/15/2020] Kevin Mandia, CEO of FireEye, has posted a blog entry updating the information provided on FireEye's Red Team tool theft. In the post, he states that they have identified a global campaign that engages the networks of public and private organizations throughout the software supply chain, using updates to an IT infrastructure management software widely used by various organizations, called the SolarWinds Orion Platform. In addition, a SolarWinds briefing note to the U.S. Securities and Exchange Commission (SEC) details that there has been significant media coverage of attacks on U.S. government agencies and other companies, and many of these reports attribute these attacks to a vulnerability in Orion products. SolarWinds continues to investigate, in collaboration with the FBI and other US government agencies, whether and to what extent the vulnerability in Orion products was successfully exploited in any of the reported attacks.
- 08/12/2020 fireeye.com FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community
- 08/12/2020 fireeye.com Unauthorized Access of FireEye Red Team Tools
- 08/12/2020 github.com FireEye’s GitHub repository: Red Team Tool Countermeasures
- 08/12/2020 us-cert.cisa.gov Theft of FireEye Red Team Tools
- 09/12/2020 cso.computerworld.es FireEye sufre el robo de varias herramientas de 'pentesting'
- 09/12/2020 theverge.com FireEye cybersecurity tools compromised in state-sponsored attack
- 13/12/2020 fireeye.com [Update 15/12/2020] Global Intrusion Campaign Leverages Software Supply Chain Compromise
- 14/12/2020 sec.gov [Update 15/12/2020] UNITED STATES SECURITIES AND EXCHANGE COMMISSION WASHINGTON, DC 20549
- 14/12/2020 incibe-cert.es [Update 15/12/2020] Campaña de explotación activa contra SolarWinds Orion Platform
- 18/12/2020 microsoft.com [Update 21/12/2020] Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
- 19/01/2021 fireeye.com [Update 21/01/2021] Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
- 20/01/2021 microsoft.com [Update 21/01/2021] Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
- 18/02/2021 msrc-blog.microsoft.com Microsoft Internal Solorigate Investigation – Final Update