FireEye recently reported it had fallen victim to a major cyber attack.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years.” – Kevin Mandia, FireEye CEO
However, this now appears to be the first of a series of attacks to come.
The attack is believed to be a state-sponsored attack pulled off by highly advanced professionals of operational security.
The prize: FireEye’s “Red Team” attack test tools.
Just days after the FireEye announcement, the same group of hackers breached SolarWinds’ security software, Orion.
SolarWinds has identified over 18,000 customers that have potentially been affected by this breach—government entities, healthcare facilities, and many Fortune 500 companies.
Businesses everywhere need to take this as a warning sign that cyber attacks can happen to any business at any time.
The best thing you can do to protect yourself is to minimize your attack surface.
Get our Ransomware Prevention & Response Guide
Here’s what you need to know and how to get started.
What is FireEye?
FireEye is one of the largest cyber security companies globally, providing services to detect and prevent cyber attacks.
They help many businesses, including the government, stay ahead of and respond to cyber threats.
The Attack On FireEye
Investigations revealed that the attackers gained access to FireEye’s Red Team Tools. These security tools mimic the activity of various cyber threats testing the security posture of clients.
None of the tools contain zero-day exploits.
Nothing new or novel was leaked.
Many of the Red Team Tools are open-source and have already been released to the community.
These powerful tools, however, can still be used to launch additional attacks.
Some cyber security experts speculate FireEye’s access to various vulnerability reports could have been a motive. Others believe it will be used as a disguise for attacks in the future.
“Hackers could leverage FireEye’s tools to hack risky, high-profile targets with plausible deniability.” – Patrick Wardle, former N.S.A. Hacker
The true motive behind the attack remains unknown.
What are SolarWinds and Orion?
SolarWinds is a networking software company that provides security solutions for companies to manage their IT environments.
Orion, a SolarWinds’ product, is a software solution that offers centralized monitoring for organizations’ entire IT.
The Attack On SolarWinds
On December 14, 2020, it was announced that a global intrusion campaign impacting SolarWinds’ Orion software product had occurred using a malware called Sunburst.
Hackers managed to inject the malware into legitimate updates provided by Orion in March 2020.
The attack was unknown until FireEye, a victim of the same attackers, discovered the malware and reported on the attacks on December 13.
The malware metastasized undetected for months, disguising itself as the Orion Improvement Program protocol.
SolarWinds reported that of its 300,000 clients, they believe less than 18,000 had downloaded the Orion update containing the malware.
According to FireEye, once installed on a system, the Sunburst malware could perform actions only available to highly privileged system administrators, including:
- Rebooting machines
- Exfiltrating data
- Execute files
- Alter system configurations
It happened to a major provider of cyber security
It can happen to you.
Fortunately, being the target of an attack this sophisticated is rare.
Most cyber attacks can typically be prevented or minimized using common sense security measures in your IT environment.
IT Environment Hygiene Checklist
- Multi-Factor Authentication (MFA)
- Strong Credentials
- Backups – Isolated/Offline
- Patching
- Least Privileged Access
- Endpoint Defense
- Vulnerability Scanning
- Review Admin Accounts
- Network Segmentation
The majority of attacks are being performed by smaller groups of cybercriminals looking for easy opportunities. Don’t let your business be a sitting target!
Organizations that are underfunded and unprepared when it comes to cyber security are at the greatest risk.
Start minimizing your attack surface
The goal is to eliminate any unnecessary end-points and to organize and secure the ones you need.
Your IT team should be able to identify systems or applications that are on your network unprotected and are exposed to the internet. Any application or system that does not need to be exposed to the internet should be segmented such as:
- Remote Desktop Protocol
- Printers
- Phones
- Camera systems
- Internal applications
Get your IT environment organized
Contrary to belief, setting up basic security protocols does not have to be disruptive or expensive—and is far less so than falling victim to a cyber attack.
The better you prepare yourself, the more likely the attackers will move on. And in the worst-case scenario, you will be prepared to respond and recover with minimal disruption.
We’ve put together some of the most commonly needed items to start improving your security posture and your IT hygiene.
