On December 8, 2020, FireEye announced that they had been breached by a highly sophisticated threat actor. Due to the nature of the attack, the discipline, operational security, and techniques used, FireEye suspects it was a state-sponsored attack.
During the initial investigation, it was discovered that the attacker targeted and stole the Red Team tools used by FireEye. These tools mimic many cyber threat actors' behavior and enabled FireEye to test and assess their customers' security posture.
What Vectra users need to know
Vectra customers can rest easy knowing they are protected from any attackers leveraging the stolen tools. Scroll down for an overview of each tool and the Vectra detections associated with each.
FireEye publishes open-source detections
The stolen tools range from simple scripts used to automate reconnaissance to entire frameworks similar to publicly available technologies, such as CobaltStrike and Metasploit.
FireEye has gained popularity over the years for helping organizations around the world respond to breaches, so it’s no surprise that a leader in incident response knows how to appropriately respond. Within 24 hours, FireEye published the list of signatures that can detect the stolen tools for the most popular open-source frameworks, including Snort, YARA, ClamAV, and HXIOC, in a public github repository, effectively rendering these tools useless.
FireEye has been specific in that no zero-day exploits have been leaked, which means that the stolen tools leverage already known vulnerabilities. Nevertheless, creating custom Red Team tools is a significant time investment for attackers. By releasing the signatures to detect them, FireEye is making sure that attackers can’t use them without being easily spotted.
We applaud and commend FireEye for their disclosure and collaboration with the security community regarding this incident.
Overview of tools and detections
After reviewing the information shared by FireEye, the Vectra security research team understood the objectives of many of the stolen tools, how those tools would present on the network, and how Vectra's AI approach can identify their use in an attack.
ADPASSHUNT: A credential theft tool designed to locate passwords for AD accounts. The stolen tool would allow an attacker to identify valuable credentials and use them to move laterally deeper into the network. Vectra’s Privilege Access Anomaly alerts can identify the usage of stolen credentials no matter how and where they are accessed.
BEACON: A command and control tool leveraging DNS, HTTP, and HTTPS protocols. The stolen tools take advantage of a variety of Cobalt Strike’s Malleable profiles, allowing attackers to mask their control traffic to make it appear benign. Vectra’s Hidden DNS Tunnel, Hidden HTTP Tunnel, and Hidden HTTPS Tunnel algorithms were designed to alert on these types of control channels regardless of the tools used to create them. The underlying AI can identify the core control behavior regardless of evasion tactics used.
FLUFFY: A utility designed preform Kerberoasting. Kerberoasting would allow an attacker to access credential hashes that can be cracked offline and used to move laterally in the network. Vectra’s Privilege Access Anomaly alerts can identify the usage of stolen credentials no matter how and where they are accessed from.
IMPACKETOBF: A utility capable of supporting communication over SMB and MSRPC. An attacker would use this type of tool to perform remote execution with a stolen account to move laterally in the environment. Vectra’s Suspicious Remote Execution can identify when stolen credentials are used to perform remote code execution.
PUPPYHOUND: An AD reconnaissance mapping utility. The tool would allow an attacker to map the environment and understand what rights and permissions are required to progress to their end goal. Multiple Vectra models, RPC Recon, Suspicious LDAP Query, and Automated replication can identify different aspects of this type of reconnaissance behavior.
REDFLARE (Gorat): A command and control tool. This would allow an attacker to exert remote control over a host in the network. Vectra’s Hidden HTTP Tunnel was designed to alert on these types of control channels regardless of the tools used to create them.
SAFETYKATZ / EXCAVATOR: Credential dumping tools. This would allow an attacker to steal credentials and move laterally to other host machines. Vectra’s Privilege Access Anomaly alerts and Suspicious Admin can identify the usage of stolen credentials no matter how and where they are accessed from.
We are here to help
Vectra is always available if you need to improve your security operations and enhance your incident response capabilities or need a risk assessment relating to the FireEye breach. The Vectra Advisory Services experts offer a wide range of solutions tailored to your organization’s specific needs, including executive briefings.
Nathan Einwechter leads the Security Research team at Vectra. He has two decades of cybersecurity experience focusing on advanced threat incident response, reverse engineering, and offensive security.