DEV Community

loading...
Cover image for [UPDATE] FireEye hacked, red team tools leaked.

[UPDATE] FireEye hacked, red team tools leaked.

Jason K.
I enjoy hacking stuff & playing CTF @ K0p1 👾 Vulnerability Assessment & Research ☕
Updated on ・3 min read

What happened?
On the 8th of December 2020, one of the largest cybersecurity firm FireEye (FEYE) has been hacked.

If you have not heard of this story, do check out a summary on this incident HERE.

New Updates
FireEye released an update on the 13th of December 2020, with new information on thier recent breach.

In this recent update, new evidence further suggests that the FireEye breach disclosed on the 8th of December 2020 is the work of state-sponsored threat actors.

FireEye identified "a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain".

Orion Platform, a widely-used IT infrastructure management software, offered by SolarWinds. Has been identified as one of the main areas of compromise in this supply chain attack campaign.

FireEye has noted on the similarity shared between their recent breach and campaign mentioned, based on the following key elements:

  • Use of malicious SolarWinds update: Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment
  • Light malware footprint: Using limited malware to accomplish the mission while avoiding detection
  • Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity
  • High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools

FireEye is now working closely with SolarWinds, the Federal Bureau of Investigation, and other key partners.

As this activity is the subject of an ongoing FBI investigation, there are also limits to the information that is available for sharing at this time.

Am I affected?
SolarWinds have since publish an advisory in light of the situation.

The software firm said that Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, have been tainted with malware.

SolarWinds Orion holds credentials, such as Domain Admin, Cisco/Router/SW root/enable creds, ESXi/vCenter Credentials, AWS/Azure/Cloud root API keys. and so much more. Consider these credentials compromised if you see other IOCs.

What are the countermeasures?
Included in FireEye new "Mandiant SunBurst Countermeasures" Github repository are rules that can help detect for these newfound threats.

FireEye Mandiant SunBurst Countermeasures

These rules are provided freely to the community without warranty.

In this GitHub repository you will find rules in multiple languages:

  • Snort
  • Yara
  • IOC
  • ClamAV

The rules are categorized and labeled into two release states:

  • Production: rules that are expected to perform with minimal tuning.
  • Supplemental: rules that are known to require further environment-specific tuning and tweaking to perform, and are often used for hunting workflows.

Please check back to this GitHub for updates to these rules.

FireEye customers can refer to the FireEye Community (community.fireeye.com) for information on how FireEye products detect these threats.

The entire risk as to quality and performance of these rules is with the users.

Please review the FireEye blog for additional details on this threat.

Please note: COSMICGALE and SUPERNOVA signatures and indicators are confirmed to detect malicious files and activity, however they have not been directly associated with the…

FireEye have also published a technical report which provide an in-depth look into the operation of this new malware dubbed the "SUNBURST Backdoor" by FireEye and Solorigate by Microsoft.

VX-Underground, a place with one of the largest collection of malware source code, samples, and papers on the internet posted a tweet regarding the malware.

The "SUNBURST" / "Solorigate" malware sample can be obtain HERE.

Caution: Download at your own risk!

Conclusion

FireEye has released new information on the recent breach that occurred on the 8 of December 2020.

The scale of the attack might be larger than just FireEye alone. A whole supply chain attack campaign, with attack methodologies similar to the recent FireEye breach, has been identified.

If you have any resources that can help the community, do post them in the comment section.

As the saying goes "it's not a matter if, its a matter of when. Stay Safe and keep up with the news for the latest update.


References


Thanks for reading!

Signing off

~Jason K.

Discussion (0)