cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AlecTrevelyan
Community Champion
28 Replies
AppDefects
Community Champion

The incident is more of a "statement against FireEye than a catastrophe". Check out their "defensive tools" (yawn) released here https://github.com/fireeye/red_team_tool_countermeasures Seriously? They are nothing compared to the Shadow Brokers leak... 

tmekelburg1
Community Champion

This was my initial suspicion when the story first broke, the threat actors trying to gain access to FireEye's client vulnerability scans, network layout, etc. The red team tools are important but their customer data is even more valuable.

 

"Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly."

 

FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community 

tmekelburg1
Community Champion

According to the Washington Post article, APT 29 Cozy Bear, are the ones responsible. It'll be interesting to find out if any client data was breached and from who.  

 

MITRE ATT&CK APT29 

 

Spies with Russia’s foreign intelligence service believed to have hacked a top American cybersecurit... 

 

"The breach was disclosed by FireEye on Tuesday, though the firm did not attribute it to Russia’s foreign intelligence service. It was detected in recent weeks, said one of the people, who like others interviewed for this story spoke on the condition of anonymity because the investigation is ongoing."

 

Russia's FireEye Hack Is a Statement—but Not a Catastrophe 

 

“The most important data that a company like FireEye has is data about its customers. The second most important data they have are the sources and methods they use to protect their customers,” like threat intelligence data, says Richard Bejtlich, former chief security officer of Mandiant, the incident response division of FireEye, and principal security strategist at the network analysis firm Corelight. “Farther down the line are the red team tools, where they’re emulating adversaries.”

JKWiniger
Community Champion

OK, I'll go there... to me this sounds like things being exaggerated to try to make the company look good. I would much sooner believe someone made a dumb mistake and it got exploited than this massive force they make the attack out to be. It seems like their way of trying to save credibility with their clients and admitting that even then best of us make dumb mistakes sometimes.

 

Just my .02

 

John-

tmekelburg1
Community Champion


@JKWiniger wrote:

OK, I'll go there...


LOL, someone had to! It's hard to know what's true unless more information is released to the public. I'd wager you're onto something though.

AlecTrevelyan
Community Champion

Seems it was a supply chain attack that affected a number of other organisations:

 

https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html

 

SolarWinds users better get patching:

 

https://www.solarwinds.com/securityadvisory

 

tmekelburg1
Community Champion

AndreaMoore
Community Manager

Community,

We’re sure you’re watching the developing headlines that are emerging about a reported intrusion at the Commerce and Treasury departments that potentially involve compromised vendor software updates.

What are your key takeaways so far? When announcements like these occur, what are the first steps you take to determine if your organization is at risk? How do you stay alert and informed? 

While being widely reported, here are a few sources:




ISC2 Community Manager
tmekelburg1
Community Champion


@AndreaMoore wrote:

Community,

We’re sure you’re watching the developing headlines that are emerging about a reported intrusion at the Commerce and Treasury departments that potentially involve compromised vendor software updates.

What are your key takeaways so far? When announcements like these occur, what are the first steps you take to determine if your organization is at risk? How do you stay alert and informed? 


 I immediately reach out to our MSP to make sure they were aware and a discovery on my part to see if they used SolarWinds to help protect their network. Us being breached through our MSP is what I worry about the most in these types of situations.