FireEye, a leading cybersecurity company, reported a breach and data exfiltration attack on its Red Team assessment tool on December 8, 2020. It is believed that the breach is a result of a state-sponsored Advanced Persistent Threat (APT) attack. The stolen data includes internal, custom-crafted Red Team and penetration testing tools. FireEye cautioned that the tools can potentially be used by attackers against other targets.
Hillstone Networks’ security research and response team has released signatures for its products to protect against threats from FireEye Red Team tools. Hillstone Networks advises customers to deploy the latest signatures to obtain up-to-date protections.
On December 8, 2020, FireEye published a blog “Unauthorized Access of FireEye Red Team Tools”, revealing that an Advanced Persistent Threat (APT) group infiltrated FireEye’s network and stole FireEye’s Red Team tools. The tools range from simple scripts used for automating reconnaissance, to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. You can read the blog post here.
As FireEye stated they are not certain about the intentions of the attacker, they have released hundreds of countermeasures to enable the network security community to protect against the threats. These countermeasures are available on GitHub.
In addition, FireEye published 16 CVEs for its tools, all of which are known vulnerabilities from the past few years.
Patches have been released for all the above CVEs. The list of patches is in Figure 1. CUSTOMERS ARE ADVISED TO INSTALL THESE PATCHES IMMEDIATELY.
Figure 1. List of patches for known CVEs in FireEye Red Team tools
Hillstone Networks’ security research and response team has analyzed FireEye Red Team tools and created signatures to help protect our customers. The following Hillstone Networks products should update their IPS signature version to 2.1.382.
- Hillstone Network Intrusion Prevention System (NIPS)
- Hillstone Next Generation Firewalls Series
- Hillstone CloudEdge
- Hillstone CloudHive
- Hillstone Server Breach Detection System (sBDS)
Hillstone Networks’ Cloud Sandbox has been updated to include the capability to detect the threats online.
Hillstone Security Research and Response Team
As a leading provider of enterprise network security and risk management solutions, protecting our customers in a proactive way is our highest goal – which is why we have dedicated so many security research and response team members and resources to uncover vulnerabilities in widely used products. We will continue to devote our efforts to safeguard global network security, at the edge, in the core, in the data center and in the cloud.