You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
https://www.bbc.co.uk/news/world-us-canada-55240408
"Based on my 25 years in cyber security and responding to incidents, I've concluded we are witnessing an attack by a nation with top-tier offensive capabilities,"
Yeaaaah.... Or you're just not as clever as you thought you were!!
Good luck with the share price 👍
That's one big scalp.
Alanis Morrissette is warming up as we speak....
If you were running a high profile cybersecurity company, wouldn't you expect an attack by a nation with top tier offensive capability? And wouldn't you keep your "Red Team" tools offline, air gapped, unless actually in use?
It’s a bit concerning really if a security firm with a good reputation get hacked. Be interesting to see if any detail comes out about how it happened - I’m assuming it probably won’t. Normally it’s malware being installed by a click on a link by a member of staff or something along those lines but you’d think this company would have had that covered. Same with the security of the network etc - wonder if they’ve had a lot of remote working from Covid and that gave an opportunity to get into their systems. Still - you’d also think they’d have compartmentalised their system so it was hard to navigate all through it - particularly to something sensitive like all their test hacking tools.
Oh well I guess it was, er, Venezuela perhaps?
"oops"
Not a massive fan of FireEye (I'm looking at you xagt.exe...) but defending against a nation-state attack can be all but impossible if they're using zero day exploits. You're probably not talking about a SQL injection in a web form and two hops later you're on a domain controller with a Kerberos golden ticket.
Having the red team tools remotely accessible (presumably in this case via a VPN) is questionable but if they're regularly updated it's not really practical to have team members return to an office to keep them updated, especially if working a long way away from an office whilst on a customer engagement. It also depends how sophisticated those tools were, they could range from just automating well-known exploits to zero day secret squirrel stuff.
It wouldn't surprise me if the red team tools weren't the main target though, unless FireEye is sitting on undisclosed vulnerabilities (which are worth a lot of money) that are used by the tools then a nation-state capable of a sophisticated hack will mostly likely have it's own well developed toolkit. They're probably more interested in information FireEye may have about current/future targets (from red team engagements etc.) - if that sort of info has been obtained in this hack then yes that's pretty unforgiveable.
I won't say too much on this as it's my field but it's a shrewd move from the Actor popping the tools such that they had no choice in disclosing the breach in case they ever surfaced. They were never the target, merely used to force the disclosure. And a salient lesson on making sure you have very very good forensic real-time monitoring for behaviours,
Not a massive fan of FireEye (I’m looking at you xagt.exe…)
Agreed!
God, how dull are we? 😆
They said the tools were not the main target:
"The attacker primarily sought information related to certain government customers," he wrote.
Why would they want to force the disclosure though? What's the point, other than embarrassing/damaging FireEye?
That might be enough. If you make people think their own security is not that good, then maybe people will not hire them...
FWIW I think they are good people with a lot of skills.
Hang on, isn't this part of the plot to 'Mr. Robot? Are we about to see the debt record erased??
Someone's been reading the latest Jack Reacher book.
That’s one big scalp.
Dusting the thread off this now seems a bit of an understatement.
whoops
FireEye seem to have found how they were hacked.
They have released information that a network monitoring tool from Solarwind was compromised around march/april time.
The list of companies and government agencies who use Solarwind is rather long and includes the US Pentagon, Treasury amongst others.
Going to be lots of people working overtime trying to figure out if they were compromised and if so what was nicked.
Not going to be easy to figure out as the way monitoring tools like Solarwinds work is to install an agent on every piece of h/w with some form of operating system - pc, laptop, server, firewall, router..... so they get to see everything on the devices and even the network traffic. Typically if it’s encrypted traffic thru the network they will still get to see it unencrypted because an agent sits on the endpoint the traffic is being routed to/from. Also the agent is normally excluded from any virus checking as it’s loaded as one of the first things when a device gets started up. So an agent can then execute whatever programs it wants on a device include sending any stuff out from a device to another remote destination, I.e. the hackers.
Yeah, the Solarwinds thing is hard to underestimate, it is a very big deal indeed. We're clear at work but it's easy to see why a lot of folk weren't.