Security Advisory: FireEye Hacked: what have we done
We have been investigating the impact and implications of the recent FireEye Hack, which resulted in the bad actors absconding with the FireEye Red Team Tools. Our product team has combed through the findings from FireEye and have implemented appropriate countermeasures.
I would like to S.P.I.N. * the situation for you.
There’s a lot of press about this event which outlines the details of the hack, so we will not be going into that here. To summarize, the Red Team Tools that FireEye uses to perform Pen Testing or offensive attacks to validate security controls have been exposed through an unauthorized access of these tools from FireEye.
As these tools are used in offensive attacks, the concern is that bad actors will be able to leverage them to attack customers.
The risk level of new zero-day attacks is minimal, as these tools leverage well known and already published TTPs. In other words, sophisticated bad actors are already leveraging these TTPs in their own tools. The real implication here is an uptick in attacks by what we “lovingly” call “script kiddies”. These bad actors are far less sophisticated/skilled and these tools will help them “up their game”.
The risk of increased attacks/activity by the “script kiddies” requires a heightened diligence to ensure security controls are doing what is expected of them and validate they are performing as designed.
Actions we have taken:
- Our product teams have poured through the IoCs and YARA rules released by FireEye and have matched nearly 100,000 payloads that can be linked to these TTPs.
- For customers on our EDRaaS Complete (fully-managed) offering: we have performed a threat hunt for these payloads in your environment and if anything was identified, we have already cleaned it out.
Actions you should take:
- For customers on our EDRaaS Plus (self-managed) offering: we have performed the threat hunt for these payloads in your environment and if anything was identified, you will be hearing from our technical operations team with any specific actions that require your attention.
- For those customers not yet on our EDRaaS offering, please reach out to your endpoint security product manufacturer to understand what they have done or can do for you.
If you need any help, or would like to evaluate our EDRaaS, please reach out to your Account Executive. We are here to help, and our teams are available should you need any support or find yourself impacted by an attack.
* SPIN is our internal SPIN Engineering methodology to quickly disseminate content and knowledge both internally and to our customers.