Skip to main content

Lessons Learned from the FireEye Breach and NSA Disclosure

This week, two sensational disclosures about sophisticated threat actors made their way into the news cycle. First, FireEye revealed that it suffered a significant breach, allegedly orchestrated by a state actor, which, apart from other things, compromised the offensive security toolkit used by its Red Team. Additionally, the National Security Agency (NSA) issued an advisory detailing that Russian threat actors exploited a recently patched vulnerability in VMware Access and VMware Identity Manager product suites.

While currently speculation, there is a slim chance that the two incidents could be related since the FireEye attack also points to Russian agencies. Even if they are not related, these attack vectors shed light on interesting trends demanding the cybersecurity community's attention.

When asked general questions around bolstering cyber defenses, the renowned threat intelligence analyst Grugq had a simple but confounding answer, "Depends on your threat perception." However, the Covid-19 pandemic has accelerated the convergence of our threat perception. Remote workforces and evolving operational processes make us vulnerable to threat models that seem uncannily universal now.

Sophisticated Strategies Increase Cybercriminal Ring Profitability

The cost-benefits of the Russian actors who exploited the VMWare vulnerability were fully aligned with the threat landscape's realities. They attacked the most potent attack surfaces affecting remote work: cloud infrastructure and identity management. The command-injection vulnerability in VMware Access and VMware Identity Manager was used as a pivot to generate Security Assertion Markup Language (SAML) assertions in the federated identity management framework, Microsoft Active Directory Federation Services.

The attacker secured a beachhead, then waltzed into the command-and-control. A log-level understanding of how the malicious SAML assertions deviated from the established and learned baselines, if done correctly, should hold answers to how this can be averted in the future.

Additionally, a quick look at FireEye Red Team tools paints a similar picture. While the American cybersecurity community focused on securing the presidential elections and protecting against related attack campaigns, attackers used this window to steal FireEye's own toolkit. Stolen were some of FireEye's most sophisticated hacking tools used to look for vulnerabilities in its clients' systems. Hackers can now use or sell these tools to launch attacks on vulnerable and potentially other high-profile organizations. The attacks could weaponize a handful of vulnerabilities spanning the most prevalent operational interfaces.

Strategic Monitoring Can Reduce Cybercriminals’ Profitability 

These attacks provide essential lessons. Garnishing some known remote exploits with privilege escalation bugs in ubiquitous software would breach most moats and fortresses. Learning what to instrument and monitor – rather than engaging in a futile bid to instrument all that you can. Ultimately, escalating the costs and minimizing the reward for adversaries is a worthwhile strategy instead of a wild goose chase of monitoring everything.

SilverSky stands with the cybersecurity community in our unified purpose to secure our customers' businesses. As we learn and adapt to the emerging threat landscape, we continue to remain committed to protecting our customers during these difficult times. If you have concerns about this breach's implications and how you can protect your endpoints, devices, network, and email, reach out to SilverSky.