Earlier this week, Mandiant/FireEye revealed that a highly sophisticated state-sponsored adversary stole FireEye Red Team/offensive security tools.
Use of offensive security tools is common practice in the cybersecurity industry–we use them ourselves to stress test our protection against simulated cyberattacks.
Following this breach, FireEye publicly released a set of countermeasures rules. The actual tools were not released to the public and still aren’t available for testing. Nevertheless, the security industry was able to use the information released by FireEye to collect relevant attack IOCs from other available sources.
We have verified the detection state on the attack samples available to us and initial results show that the overwhelming majority were already detected by the existing Sophos anti-malware definitions.
We have made further detection updates since the disclosure and are in the process of locating and verifying detection of any other components that may be relevant.
The top Sophos detection names associated with these tools:
- Mal/Swrort-AE,-L
- Troj/Rubeus-*
- BloodHoundAD (PUA)
- Troj/Seatbelt-A
- Mal/Zafkat-A
- ATK/Cobalt-A,-B,-V,-G
- Exp/20201472-A
- Troj/PrivEsc-*
- ATK/PrivEsc-*
- Troj/DocDl-ABQE
- Troj/Agent-BGFM
- ATK/Tlaboc-F
- Exp/20132465-A
- Harmony Loader (Hacktool)
- Troj/Agent-AYZU
- Troj/AutoG-ID
The core of the stolen toolset is focused on post-exploitation techniques. According to FireEye, the components stolen did not contain zero-day exploits. Organizations that regularly apply security patches across their estate are well prepared against the potential abuse of these tools.
We have checked the vulnerabilities mentioned in FireEye’s “countermeasure” files against Sophos’ IPS signature databases used by Sophos XG Firewall and Sophos UTM and are pleased to confirm strong coverage from the existing signature set. A subset of signatures relevant to endpoint protection is also available on the endpoint IPS.
CVE | IPS Sid (Sophos XG Firewalls) |
CVE-2019-0708 | 1190514210 |
CVE-2017-11774 | 8422 |
CVE-2018-15961 | 2300872, 1181116050 |
CVE-2019-19781 | 2301366, 52620, 2301639, 2303158 |
CVE-2019-3398 | 50169, 50170, 50168 |
CVE-2019-11580 | In release pipeline |
CVE-2018-13379 | 2301565, 51371, 51372, 2300726 |
CVE-2020-0688 | 2302419, 2302422 |
CVE-2019-11510 | 1190822080 |
CVE-2019-0604 | 55862, 49861 |
CVE-2020-10189 | 2302318, 2302321, 2302322, 53434, 2302053, 2302054 |
CVE-2019-8394 | In release pipeline |
CVE-2016-0167 | 38491, 38765 |
CVE-2020-1472 | 56290, 1200811220, 2304011, 2304013, 2304014, 2304015, 2304016, 2304017, 55802, 55704, 55703, 2303764, 2303765, 2303768, 2303769 |
CVE-2018-8581 | 1000550 |
Should you have any concerns around the potential use of these tools in future real attack scenarios, please speak to your Sophos representative.
In the meantime, we encourage all customers to use this incident as a timely prompt to check that your security patches are fully up to date.
As an active member of the Cyber Threat Alliance, Sophos is committed to working collectively with the cybersecurity industry to fight cybercrime. We commend FireEye for their disclosure and have reached out to their security team to share more information on the actual toolsets.