Positive Technologies products discover use of FireEye pentesting tools stolen by hackers

The PT Network Attack Discovery system for deep traffic analysis, PT Sandbox, MaxPatrol 8 compliance and vulnerability management system, MaxPatrol SIEM incident detection system, and PT Industrial Security Incident Manager system for ICS traffic analysis detect the activity of tools used by FireEye specialists to perform pentests for their clients. The tools fell into the hands of attackers during a recent hacker attack.

According to PT Expert Security Center specialists, some of the stolen tools were already publicly available and widely used. Attackers use this type of tools to develop the attack inside the infrastructure, gain a foothold in it, and organize a remote access channel. In this case, criminals adopt a tool in the first few days (and sometimes hours) after its appearance. For example, the Cobalt group began using CVE-2017-11882 in their attacks within one day after the appearance of public data about this vulnerability.

PT ESC experts have analyzed the data published by FireEye employees to detect the use of their tools by attackers (34 rules for Snort 1). Any activity covered by these rules is automatically detected by PT NAD: the product detects the use of three tools out of the box, and, to detect the activity of the fourth tool, PT ESC specialists have uploaded the latest detection rules. Thus, PT NAD users do not have to adapt and upload the rules from FireEye themselves. Today, ICS networks are also targets for criminal hacker groups. Therefore, the necessary indicators for detecting the activity of these tools have also been added to PT ISIM.

In addition, FireEye specialists have released a set of YARA rules to detect other pentesting tools. PT ESC experts have analyzed their effectiveness, identified the optimal set of rules with a minimum false positive level, and added it to PT Sandbox, which performs a comprehensive analysis of files in the infrastructure. These rules will allow PT Sandbox to detect the use of stolen tools created on the basis of the well-known Cobalt Strike, Rubeus and Impacket, as well as a number of highly specialized FireEye tools.

FireEye has also published a list of vulnerabilities used by its own red team employees for penetration tests. MaxPatrol 8 will identify vulnerabilities that are most characteristic of the software used in Russian companies, which will help limit the effectiveness of FireEye tools. The exploitation of six vulnerabilities can be detected with the help of PT NAD. MaxPatrol SIEM uses Windows event analysis to detect the activity of six of the most popular tools that are used in the vast majority of attacks aimed at completely compromising the infrastructure.

"Most of the detection rules in MaxPatrol SIEM are not confined to specific groups and their tools," explains Anton Tyurin, Head of Expert Services at PT ESC. "This means that with the help of one rule, the system can detect the activity of several similar tools at once. This approach allows covering a good deal of popular hacker software."

"APT groups are increasingly conducting the so-called supply chain attacks—hacking organizations through their less secure suppliers or customers. And the situation with FireEye is no exception," says Andrey Voitenko, Product Marketing Director at Positive Technologies. "To protect against such threats, it is not enough to focus on preventing attacks and control only the perimeter—it is crucial to monitor and perform deep analysis of what is happening inside the network, and tools are needed to identify threats in a timely manner."

  1. An open-source intrusion prevention and detection system.