The company offered no evidence for its claim in a statement published on Tuesday. It said it was offering counter-measures in a GitHub repository.
"We do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them," the company said.
Briefly looking into #fireeye ToC of potentially stolen #redteam tools, nothing caught my eye as "ground breaking". (please tell me if I missed anything)
— Tal Be'ery (@TalBeerySec) December 8, 2020
I find it hard to believe that stealing these tools would have been the goal of this risky operation.https://t.co/9C71KSP0pV
"[Because of this] FireEye is releasing hundreds of counter-measures... to enable the broader security community to protect themselves against these tools."
|
|
One of those exploits, known as EternalBlue, turned up in a number of malware attacks after the theft, including WannaCry, the ransomware that spread globally in May 2017.
FireEye, which is valued at about US$3.5 billion (A$4.72 billion), lost about 7% of its value on the stock market in trading after hours.
Its hard to tell exactly what some of the IOCs are for, but there's a lot of standard red team tooling in there (modified mimikatz, dll planting, mof/wmi abuse etc) - nothing jumped out at me as being ground breaking either.
— Alex Plaskett (@alexjplaskett) December 8, 2020
FireEye chief executive Kevin Mandia said: "We have incorporated the countermeasures in our FireEye products — and shared these countermeasures with partners, government agencies — to significantly limit the ability of the bad actor to exploit the Red Team tools."
Mandia, who owned Mandiant, an incident response firm which was acquired by FireEye in 2014, and one of those in the security industry who is never backward in attributing attacks to different countries, did not make any attribution this time.
The statement said: "We have been performing Red Team assessments for customers around the world for over 15 years. In that time, we have built up a set of scripts, tools, scanners, and techniques to help improve our clients’ security postures. Unfortunately, these tools were stolen by a highly sophisticated attacker.
"The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit.
"Many of the Red Team tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM.
"Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team."
FireEye attempted to play down the theft by saying the stolen tools did not contain zero-day exploits.
"The tools apply well-known and documented methods that are used by other red teams around the world. Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario.
"It’s important to note that FireEye has not seen these tools disseminated or used by any adversaries, and we will continue to monitor for any such activity along with our security partners."
