This week
FireEye discloses security breach
The infosec community has been abuzz this week with news that industry giant FireEye, usually called in to help other government departments and large organisations unpick cyber attacks, had themselves been breached.
In a blogpost CEO Kevin Mandia concluded, in the present-tense, that the firm is “witnessing an attack by a nation with top-tier offensive capabilities”. Microsoft and the FBI have been helping investigate the breach.
The company’s ‘red team’ (penetration testing) tools were stolen by the attackers during their intrusion, though the primary objective is believed to be information relating to the cyber security of government customer networks. (Worth remembering that doesn’t automatically equate to the U.S. government!)
Such information would be valuable to those engaged in cyber-espionage and provide a ready-made report on the strengths and weaknesses of their targets. In addition to the reconnaissance, the privileged access to customer networks is an attractive target for attackers via FireEye’s endpoint detection and response platform.
Lots of focus has been given to the theft of the FireEye tools that the company was quick to confirm did not contain any ‘zero-day’ exploits. While the FireEye toolset presents a way to short-cut development time for offensive tooling, a lot were based on open-source projects, and their general use would requiring training of any operatives in their use.
For me, it’s hard to imagine that an advanced adversary wouldn’t relish the opportunity of camouflaging their operations using the very same tooling employed and making attribution murky. FireEye has released 300 countermeasures and detection content to help identify the use of the tools.
On that front, it’s also interesting that FireEye’s own products have been updated to detect these tools. On the surface an obvious and excellent choice, but this obscures that, before the breach, the companies detection capabilities were not benefitting from the attack tools and techniques that they were developing. You could buy FireEye solutions to defend your business that they would also potentially be able to trivially defeat.
That’s not to say that shade should be cast over FireEye. They are not our collective ‘enemy’. FireEye should be commended on a rapid response. (A significant PR risk for any incident response firm.) While details on the response on extensive, we will have to wait for further details on the intrusion itself: including basics on when it was discovered.
fireeye.com, vice.com, theguardian.com
Interesting stats
49% of CrowdStrike’s incident response engagements originated from outside legal counsel, rather than directly from end clients, signalling a shift to conducting IR under legal privilege scmagazine.com
$1 trillion has been lost to cybercrime in 2020, according to the Center for Strategic and International Studies, a figure that would equate to just over 1% of global gross domestic product scmagazine.com
Other newsy bits
… this week is just …
In brief
Attacks, incidents & breaches
- Pfizer/BioNTech vaccine data ‘unlawfully accessed’ during attack on European Medicines Agency theguardian.com
- Brazilian aerospace company Embraer has files leaked following ransomware attack zdnet.com
- Foxconn confirm ransomware, data breach at Mexican facility over Thanksgiving weekend, apparently the work of DoppelPaymer group demanding ~$34M bleepingcomputer.com
- Attacker opens over 2,700 package delivery lockers across Moscow zdnet.com
- Subway U.K. email marketing platform popped, used to send messages to customers leading them to TrickBot malware theregister.com
Threat intel
- Kazakhstan government mandating the installation of root certificates for a ‘cyber exercise’ that will allow agencies to intercept encrypted HTTPS communications zdnet.com
- NSA warning over VMWare vulnerabilities being actively exploited wired.com, nsa.gov, vmware.com
- Norwegian police attribute attack on parliament in August to Russia’s Fancy Bear group, claims access result of brute force attack on email server cyberscoop.com
- MageCart card skimming starting to be hidden inside CSS files zdnet.com
- Qbot updates persistence mechanism, adds itself to outrun on shutdown, then removes on boot-up bleepingcomputer.com
- In an unusual move, Facebook outs Vietnamese IT company CyberOne Group as a front for APT32 aka OceanLotus zdnet.com
Vulnerabilities
- Kubernetes vulnerability allows users with existing permissions in multi-tenants setups to intercept, alter commands for other tenants bleepingcomputer.com
- Radiology devices manufactured by GE Healthcare vulnerable due to hardcoded maintenance passwords arstechnica.com
- Second time lucky for Cisco patching wormable remote code execution bug in Windows Jabber client arstechnica.com
Security engineering
- Privacy-friendly ‘Oblivious DNS-over-HTTPS’ protocol, backed by Cloudflare and Apple, introduces a proxy to separate the source, and request of a domain name techcrunch.com
- Adobe Flash Player will stop working on 12th January 2021 zdnet.com
Internet of Things
- Patch available for QNAP network attached storage (NAS) devices to prevent remote takeover bleepingcomputer.com
- Forescout to publish details of 33 vulnerabilities in open source TCP/IP stacks used in many IoT and OT devices wired.com, cyberscoop.com
Privacy
- Aussie information commissioner finds Flight Centre breached privacy of ~7,000 customers when sharing data that hadn’t been properly anonymised at hackathon in 2017 theregister.com
Public policy
- A report finds that, rather than ‘going dark,’ mobile device forensic tools are providing ready access to info on encrypted handsets, questioning law enforcement’s need for encryption backdoors lawfarblog.com
- National Defense Authorisation Act moves a step closer, acts on 4/5 recommendations made by the Cyberspace Solarium Commission (vol. 3, iss. 11), strengthens Cybersecurity and Infrastructure Security Agency (CISA), creates White House national cyber director position, amongst wide-reaching U.S. legislative changes cyberscoop.com
- The U.K. Ministry of Defence has launched a bug bounty programme for “benign, non-destructive, proof of concepts” theregister.com
Law enforcement
- Cryptocurrency founder sentenced to five years for role in laundering funds from ransomware campaigns, faces on-going extradition requests from U.S. and Russia zdnet.com
Mergers, acquisitions and investments
- NortonLifeLock to acquire Avira, boosting European customer base, for $360M zdnet.com
- Industrial security outfit Dragos raises $110M in series C funding round led by customers tehcrunch.com
- Orca Security raises $55M series B to expand go to market for cloud security platform techcrunch.com
And finally
Final Zodiac killer cipher solved
51 years after the Zodiac killer sent the ‘340 Cipher’ to the San Francisco Chronicle the paper has published the solution, found by a trio of cryptographers from the U.S., Australia and Belgium. The Zodiac murdered five people in the San Francisco Bay Area in the late sixties. No one has ever been charged. The plaintext does not give away a piece of identifying information and instead taunts police and claims an ‘easy life’ in “paradice death”. sfchronicle.com
USB ports and heroin: must be Giuliani’s latest nonsense voter fraud claims
‘Cybersecurity expert’ Rudy Giuliani accused Democrats of “surreptitiously passing around USB ports as if they are vials of heroin or cocaine” in a Zoom call with Georgia legislators. He went on to suggest that prosecutors search poll workers homes for “evidence of USB ports” that would be a surefire sign that they were engaged in voter fraud. vice.com