FireEye's RedTeam tool theft report and its effects
Therefore, during the past few days, security forums and forums have been filled with suggestions and reports that try to minimize the existing risk. The following document tries to minimize the impact of this risk for its customers with a realistic look based on the document published by FireEye and also the efforts of its security experts.
According to a post published on FireEye's blog on December 8th, the company has claimed that the tools used by the company's Red Team were stolen during a sophisticated attack. In a report, FireEye announced the detection of a malware that it named SUNBURST. In this report, it is stated that this malware is victimizing government organizations and private companies in the world by using several advanced techniques and using the backdoor identified in SolarWinds. In the analysis report of this malware, a C&C with the avsvmcloud.com domain is mentioned, to which the malware sends requests to its subdomains. The risk level of this report is so high that the US Cyber Security Agency (CISA) has issued an urgent warning to all government companies and organizations of that country in a phone call to check the security status of their network and remove their SolarWinds servers from Disconnect or turn off the network. It seems that the penetration into the FireEye network was also done using this vulnerability, or even that company itself had a role in its implementation.
Mr. Kevin Mandia, CEO of this company, stated that according to the type of attack and the techniques used, it is likely that this attack was supported by governments. The company stated that there is no evidence of the use of these tools by any of its partners. The tools stolen from this company range from simple tools to security frameworks, but none of the stolen tools contain zero-day exploits. Of course, it should be noted that considering the nature of that company and its employers, which are American security institutions, the capabilities of these tools are certainly much higher than the level mentioned in the statement.
A list of countermeasures and preventative measures is posted on FireEye's GitHub page, which is updated. This list is accessible from the address and includes the following items.
https://github.com/fireeye/red_team_tool_countermeasures
The full report of this news was prepared by the cyber security operation unit of Gostar Sharif Security Company and can be viewed through the link below.