Threat Response-FireEye Red Team tool set

9-12-2020

On December 8th 2020, US cybersecurity firm FireEye released a statement [1] to tell the world that they were breached in a cyberattack, and that their red team toolset has been stolen. FireEye is a cybersecurity company that is most well-known for their intrusion prevention system, and for their incident response, forensics and threat intelligence work through their acquisition of Mandiant. Apparently, somewhere in the past months FireEye was breached by an actor that is classified by both the FBI and FireEye as having “world-class capabilities” and being a nation-state. While no country was explicitly named, current evidence points strongly towards Russia (for instance, the FBI turning the case over to their Russia specialists). FireEye states that attackers did not get access to information about their customers or investigations, but that their Red Team tools were stolen.

Impact

The Red Team toolset enables FireEye to perform security assessments that use TTPs (tools, techniques and procedures) of existing threat actors. FireEye acquired these TTPs through their incident response and threat intelligence activities. Using the tool set in Red Team exercises enables FireEye’s customers to test their defenses, detections and responses to attacks as specific real-world threat actors would perform them.

Currently, the tool set has not been published. The attacker that stole the tool set can use the tools to impersonate other actors: it might look like a different threat actor is performing the attack. This makes attribution of certain attacks more difficult but does not greatly change the direct impact of such attacks. FireEye states that the toolset does not contain zero-day exploits: exploits for vulnerabilities that cannot yet be patched. A list of vulnerabilities used in the tool set is provided by FireEye, as are detection rules for NIDS and endpoint security products.

Risk

Because the toolset is not public and does not contain Zero Day vulnerabilities, the risk to individual companies is low at this point. The vulnerabilities that the tools use, are well-known and patches are available. Furthermore, FireEye has published a set of detection rules [2] that can be used to detect use of their tool set. The tool set contains a mixture of well-known Red Team methods that current detection measures should already pick up on and FireEye-specific methods that the new detection rules can detect. While an attacker can modify the tool set to evade these detection rules, the risk remains low as long as the tool set is not published.

Mitigation

The most important mitigation at this point is to make sure that all systems within your area of responsibility are patched against the vulnerabilities that the tool set uses. FireEye has provided a list of these vulnerabilities[3]. As this list contains only two vulnerabilities from 2020, it is likely that your systems are already patched.

What will Northwave do?

As Northwave, we have incorporated the detection rules provided by FireEye into our Network Intrusion Detection System (NIDS). If you are a customer of our IDRS service, then detection of the use of the tool set is provided within coverage of the deployment. Within our Endpoint Detection and Response Service (EDRS) the incorporation of detection rules is being investigated, and will be added as soon as possible.
Furthermore, Northwave keeps track of news around this breach, and will re-assess the risk and impact as news comes available.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1] FireEye statement: https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

[2] Detection rules: https://github.com/fireeye/red_team_tool_countermeasures/

[3] List of vulnerabilities: https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.