December 10, 2020
Cyber Security vendor FireEye has recently just disclosed that they have been on the end of sophisticated attack that resulted in their array of offensive security tools, these OSTs were often used across FireEye technical service engagements to prove the value in their product stack.
Some of the tools that were taken in this breach are based on some well-known offensive frameworks, Cobalt Strike framework was definitely in use. This is evident in the naming convention used in the coverage by FireEye
FireEye have also provided a list of CVEs to allow customers to identify any vulnerabilities these tools may be exposed to, it has been reported that none of the tools target any zero-day vulnerabilities.
Detection and visibility
Here at Comtact we continue to always monitor and hunt for relevant indicators of compromise not only related to this attack but any malicious activity that may be occurring. If there are parts of your network that have not been secured, we encourage you to close them gaps.
Visibility into your environment is key to identify malicious activity, if you don’t know what’s running on your endpoints how do you know what your securing? Here at Comtact our Cyber Defence Centre is powered by Sentinel One which ensures we know what’s happening on every endpoint at all times, this then feeds into MS Sentinel to correlate our EDR information with other devices on the network such as Firewalls, Active directory logs, to have a full understanding of your environment at all times. This data is then enriched with Threat Intelligence, Artificial intelligence as well as known IOCs to ensure that your environment is kept secure at all times. On top of this the SOC team is constantly developing new detection techniques as well as proactive threat hunting to search for things such as misconfigured devices, out of date software as well as of course malicious processes.
Comtact is here to help
Here at Comtact we are committed to helping you secure your environments. We are here ready to help, here are a few tips from our team:
- Deploy a SIEM and 24/7 SOC team to monitor and defend against breaches.
- Ensure that all of your environment is covered by your AV/EDR solution. It is also important to keep all software up to date, although there are no zero day exploits that have been taken some of the exploits can still be used against you if you have not patched up the vulnerability.
- If you need help conducting risk assessments of your estate relating to the FireEye breach or even in securing unprotected devices, Comtact is ready to help you with deploying Sentinel One in minutes without any business downtime or restarts. Sentinel One will then give you a full insight to your endpoints and what is running on them.
- Search your environment for the offensive security tools hashes, these tools may be on your network waiting to take control, create a search on your environment for the following hashes to ensure you haven’t seen any of the OSTs!
Latest FireEye Indicators of Compromise (IOCs)
We’re here to help, we’re here to secure your environments. We’re in this together.