FireEye Red Team tools have been stolen

Posted date 10/12/2020

FireEye, one of the world's leading cybersecurity companies dedicated to vulnerability analysis and prevention, has reported being the victim of a cyberattack through which its Red Team pentesting tools were stolen.

The cybercriminal, a highly sophisticated threat actor, has gotten to steal data ranging from simple scripts to entire frameworks similar to CobaltStrike and Metasploit. There are no 0-Day exploits among the above, nor been any leakage of client data.

In response to this incident, FireEye has issued over 300 countermeasures to protect its clients from stolen Red Team tools, and has also shared them with partners and government agencies to limit their ability to exploit them.

At present, there is no evidence that the stolen tools have been distributed or used, and a monitoring is maintained.

[Update 12/15/2020] Kevin Mandia, CEO of FireEye, has posted a blog entry updating the information provided on FireEye's Red Team tool theft. In the post, he states that they have identified a global campaign that engages the networks of public and private organizations throughout the software supply chain, using updates to an IT infrastructure management software widely used by various organizations, called the SolarWinds Orion Platform. In addition, a SolarWinds briefing note to the U.S. Securities and Exchange Commission (SEC) details that there has been significant media coverage of attacks on U.S. government agencies and other companies, and many of these reports attribute these attacks to a vulnerability in Orion products. SolarWinds continues to investigate, in collaboration with the FBI and other US government agencies, whether and to what extent the vulnerability in Orion products was successfully exploited in any of the reported attacks.