December 17, 2020

FireEye Breach: Countermeasure Scanner Available for MSP RMM Tools

By Ryan Weeks
Threat AnalysisDatto RMM

FireEye, a California-based cybersecurity firm that provides businesses with hardware and software tools to detect malware, was infiltrated by highly-sophisticated state-sponsored adversaries last week.

The stolen tools range from simple scripts used for automating reconnaissance to entire penetration testing frameworks similar to those from CobaltStrike and Metasploit. According to the New York Times, the FireEye tools are “designed to replicate the most sophisticated hacking tools in the world.” FireEye uses the tools to look for vulnerabilities in their clients’ systems. The hackers stole FireEye Red Team assessment tools from a closely guarded digital vault.

FireEye quickly published methods to detect malicious use of the tools.

What This Means for Datto Partners and MSPs

Datto has created a FireEye Red Team Countermeasure Scanner that leverages the FireEye published detection methods. MSPs can use the scanner to detect indicators that the stolen tools are being, or have been, used on managed systems.

The FireEye Red Team Countermeasure Scanner:

  • Utilizes the YARA scanning tool by VirusTotal alongside published countermeasures files from FireEye
  • Scans executable files on Windows systems for the presence of FireEye Red Team’s stolen tools
  • Identifies where the stolen FireEye tool is located if detected

If you have a detection that you believe to be a true positive, we suggest you work with a qualified incident response firm to aid you in conducting an investigation into the potential presence of a threat actor.

The FireEye Red Team Countermeasure Scanner is currently available free of charge to Datto RMM partners on the ComStore. Additionally, Datto has made available a script that can be used in conjunction with any RMM to help the larger community prevent and detect threat actors misusing these stolen tools.

Now is a time to remain vigilant and take an active role in hardening systems against these, now known, tactics. Implement preventative and preparatory measures like enabling two-factor authentication (2FA), assessing your environment for the CVEs leveraged by the FireEye tools, asking your key vendors if they used the vulnerable software, implementing the FireEye suggested monitoring, and creating a cyber resiliency plan.

Suggested Next Reads