Positive Technologies Discover Use of FireEye Tools Stolen by Hackers

By Enterprise Security Magazine | Wednesday, January 06, 2021

Positive Technologies products can now discover the use of FireEye pentesting tools stolen by hackers.

FREMONT, CA: The in-depth traffic analysis PT Network Attack Discovery system, PT Sandbox, MaxPatrol 8 enforcement and vulnerability management system, MaxPatrol SIEM incident detection system and ICS traffic analysis PT Industrial Security Incident Manager system detect the operation of instruments used by FireEye specialists to conduct pentests for their clients. During a recent hacker attack, the resources ended up into the hands of attackers.

As per the PT Expert Security Centre specialists, some of the stolen tools were already freely accessible and commonly used. Attackers use such types of tools to build an attack within the infrastructure, gain a foothold in it, and coordinate a remote access channel. In this scenario, during the first few days (and sometimes hours) after its appearance, criminals adopt a weapon. For example, the Cobalt group started utilizing CVE-2017-11882 in their attacks one day after the emergence of public data about this vulnerability.

FireEye has also released a list of vulnerabilities used for penetration testing by its red team workers. Most of these vulnerabilities will be found by MaxPatrol 8, helping to restrict FireEye software's efficacy. It is possible to recognize the exploitation of six vulnerabilities with the aid of PT NAD. MaxPatrol SIEM uses windows event analysis to identify the operation of six of the most common techniques used in the vast majority of attacks targeted at fully compromising the infrastructure.

"Most of the detection rules in MaxPatrol SIEM are not confined to specific groups and their tools," explains Anton Tyurin, Head of Expert Services at PT ESC. "This means that with the help of one rule, the system can detect the activity of several similar tools at once. This approach allows covering a good deal of popular hacker software."

Andrey Voitenko, Product Marketing Director at Positive Technologies, said: "APT groups are increasingly conducting supply chain attacks" hacking organizations through their less secure suppliers or customers. And the situation with FireEye is no exception. To protect against such threats, it is not enough to focus on preventing attacks and controlling only the perimeter" it is crucial to monitor and perform deep analysis of what is happening inside the network, and tools are needed to identify threats in a timely manner."

Check out: Top Enterprise Security Companies

Weekly Brief