THE TIBERIUM BLOG - recent events, threats, and all things cyber

Burning Down The House

This week, none other than top-flight information security outfit FireEye announced that it had been hacked, claiming that a nation-state with ‘top-tier offensive capabilities’ had stolen its stash of ‘Red Team assessment tools’.

Since FireEye acquired the go-to (for large corporate, Enterprises and those with deep pockets at least) incident response firm in 2014, in fact, Kevin Mandia is the current chief, you would expect them to be able to have a good stop at whodunnit, and the smart money is on, you guessed it, those pesky Russians. Blow us down with a feather.

The hack was announced in a blog written by Kevin Mandia. This raises some interesting points to consider:

  • A novel combination of techniques was used by attackers ‘highly trained in operational security and executed with discipline and focus’.
  • FireEye is working with the FBI, Microsoft and other “key partners.”
  • The focus of the blog is the access and exfiltration of FireEye’s `Red Team tools which, they say, did not include any Zero-Day exploits. Presumably, these exploits are locked away in a more secure or obscure location because they certainly exist.
  • Towards the end of the blog, it says these this: “Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly”.

Before we go any further, we would like to point out that FireEye’s response to the loss of the Red Team tooling has been nothing short of exemplary. They have published detection and countermeasures for all of their tools on GitHub and have, broadly, been well supported by the industry. Presumably, a very twitchy industry, are now having a thorough look through their own drawers.

The suggestion that Government data has been half-inched has sent the willies around the world of state security. NATO officials have suggested that not just Red Team code, but also tools to counter the offensive measures of other Nation States (Russia) has been taken and is no doubt being dismantled as we type 

The implication in the blog that Microsoft systems may have been involved (of course they were) is very interesting, and we would very much like to see the details at some point in the future, from one side or the other! We will be monitoring zee dark webs over ‘The Holidays’ and will keep you updated. Maybe it involved Bronze Tickets! 

This FireEye news is Platinum or at least red hot, the news about ongoing Kerberos issues with Microsoft authentication is Bronze. Bronze tickets to be precise.

Following on from the well-reported Gold, and Silver ticket Kerberos attacks, a new attack has arisen, the Kerberos Bronze Bit Attack for which proof of concept code has been published.

Patching this bug Named the Bronze Bit attack, or CVE-2020-17049, is proving problematic for Microsoft who have tried to bolt the gate somewhat unsuccessfully from November Patch Tuesday onwards, inflicting authentication issues on users in the process.

We will have a good look at the potential of this exploit which totally bypasses the Windows authentication system. Patching and more patching is the name of the game and we will include detection on our platform.

Who knows, this may be the first FireEye Red Team 2.0 tooling.

We all know that FireEye produces an Endpoint Security Agent and wonder what could possibly have gone wrong. Perhaps a busman’s holiday situation? We will probably never know.

Tiberium is confident that our Cyber Defence Centre which focuses on the detection and automates reaction to attacks, supported by Bots, Threat Hunters and expert Analysts would perform well in any attack scenario to catch a threat actors (they are only human for now) mistakes. We would very much like to demonstrate it to you

We think that automated response is the only solution to deliver effective outcomes as we approach 2021.

Share on: