Highly sophisticated attack on FireEye
Last updated: 10:00 20/12/20
As you may already be aware, on the 8th of December FireEye reported a recent attack by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead them to believe it was a state-sponsored attack.
We’d like to highlight to our clients that due to the nature of the information breached that the attack not only affects FireEye customers, but the wider cyber security community as a whole. In addition, as of December 13th it has become clear that a compromise of SolarWinds Orion network monitoring may also leave SolarWinds clients affected.
All links and resources related to this attack are contained below for further follow up.
The Threat
The FireEye attacker targeted and accessed certain Red Team assessment tools that FireEye use to test their customers’ security. These tools mimic the behaviour of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits.
FireEye have since confirmed that the hackers gained access to FireEye's network as a result of a supply chain attack on SolarWinds. SolarWinds has confirmed that their systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
Recommendations
If you are a SolarWinds customer, SolarWinds are recommending you upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. The latest version is available in the SolarWinds Customer Portal. If you aren't sure which version of the Orion Platform you are using, see directions on how to check that here. To check which hotfixes you have applied, please go here.
More Information
FireEye continue to investigate the attack in coordination with the Federal Bureau of Investigation and other key partners. Consistent with their goal to protect the community, FireEye are proactively releasing methods and means to detect the use of their stolen Red Team tools. They have developed more than 300 countermeasures that can detect or block the use of their stolen Red Team tools and have outlined their response in detail via their blog.
If you have any specific questions or need more information, you can visit the FireEye partner portal here and the SolarWinds website here, where you can find a list of responses to Frequently Asked Questions.
Further Assistance
Integrity360 would like to ensure that our clients are aware of and protected against the attempted use of these Red Team tools.
Should you require assistance directly, please contact your account manager or use our contact form for further assistance. As always, Integrity360 Managed Security Service (MSS) customers will already be managed through our proactive security approach.
Integrity360 Status Update
As an update to the above advisory, we would like to confirm that we do not operate Solarwinds within Integrity360. The recommendation to clients running Solarwinds versions 2019.4 HF 5 through 2020.2.1 is to upgrade immediately.
Signatures already deployed to our Managed IPS clients include countermeasures to FireEye Red Team Tools and Sunburst backdoor IOCs.
- https://github.com/fireeye/sunburst_countermeasures/tree/main/indicator_release.
- https://github.com/fireeye/red_team_tool_countermeasures
Useful Resources
- Updated 14/12/20 FireEye Blog - Global Intrusion Campaign Leverages Software Supply Chain Compromise
- Update 14/12/20 FireEye Threat Research
- Updated 14/12/20 SolarWinds Security Advisory
- Updated 14/12/20 ZD Net - Mircosoft, FireEye confirm SolarWinds Supply Chain Attack
-
FireEye Stories - FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community
-
FireEye Threat Research – Unauthorised Access of FireEye Red Team Tools
