Recently, the information security vendor FireEye has made it in the news as the latest victim to suffer a breach. FireEye is stating that their suite of Red Team Tools were among the assets and data that the threat actors retrieved.
What is a red team? What are Red Team Tools? Is this something I need to be concerned about? Let’s get some answers to these questions.
What is a red team?
A red team is a dedicated team of computer security professionals usually tasked with attempting to breach the defenses of an organization. The difference between a red team and advanced threats or malicious actors is that their actions are sanctioned by both the organization that employs them and the company that hires them to perform this task. Additionally, after the engagement with that customer is completed, an after-action report is shared with the customer.
The report reveals the techniques the red team used to gain access, how they escalated their privileges, and additional actions they took towards reaching a particular agreed-upon goal. Some red teams can be asked to perform adversary emulation in which they mimic the tools, techniques and procedures of an advanced threat group.
While there is a lot of nuance here, if you’ve heard of the terms Penetration Test (or “Pentest”) and/or Penetration Testers (or “Pentesters”), they are fairly similar. If you want to know more about what defines Penetration Testing, consider taking a look at the PTES–The Penetration Testing Execution Standard. If you’re interested in learning more about adversary emulation/red teaming, consider having a look at the MITRE ATT&CK framework. This framework is used to catalogue tools and techniques real-world threat groups use, and are therefore some of the techniques red teams attempt to emulate.
What are Red Team Tools?
FireEye is claiming that a group of Russian threat actors acquired their suite of Red Team Tools that they use on customer engagements. Red Team Tools are oftentimes considered the “secret sauce” of a red team engagement, or a penetration test. These are the software applications that are used for various tasks during an engagement. They can be used for tasks ranging from reconnaissance and gathering information about targets, exploiting and gaining initial access, escalating user privileges, maintaining persistence on a host once access has been established, forming hard-to-detect command and control, and everything else in between.
Sometimes the applications used are commercial software such as Core Security’s Core Impact suite and Strategic Cyber’s Cobalt Strike. Other times, these tools can be open-source software, such as the Metasploit Framework or Nmap.
Some professional penetration testers and red teams even develop their own tools or variations on publicly available tools and techniques for their own use–sometimes for more effectively emulating the bad guys, and other times to tweak the tools in order to make them more effective or harder to detect. The software that FireEye is claiming was stolen by Russian threat actors are a combination of open-source tools released by the security community and a collection of custom tools developed and/or modified in-house to better suit the needs of their red teamers.
Should I be concerned?
Well, to some extent. I know that’s not a helpful answer, so let me explain.
FireEye states that there were no zero-day exploits among the tools and applications that were exposed. So, at the very least, this tool leak isn’t as bad as when The Shadow Brokers leaked NSA Hacking Tools a few years back. In that leak, not only were there scores of custom tools and implants used, there were also numerous exploits–some of them unpatched zero days for a wide variety of software and operating systems.
In addition to this bit of good news, FireEye reports that the actors have not yet been observed utilizing their leaked tools. While they have not confirmed this, it’s highly likely that FireEye has mechanisms in place for detecting unauthorized use of their tools or other methods for determining when their red team tools have been discovered. This likelihood is probably driving their assertion that their tools have not yet been misused.
Detection and mitigation
If you are concerned and want to make sure that you and your organization are protected against the tools leaked in this breach, FireEye has provided a collection of indicators for their tools in the form of CVE numbers, Snort rules, ClamAV signatures, and YARA rules in a public GitHub repository for anyone to use.
Additionally, ProofPoint’s ET LABS has announced that the Snort rules provided have been adapted to Suricata rules and added to the Emerging Threats Suricata ruleset. Further, a security researcher from Rapid7 is attempting to map some of the vulnerabilities exploited by FireEye’s tools for use with their Nexpose/InsightVM tools here. I would highly advise deploying these indicators in your network as soon as possible.
Finally, pay special attention to the list of CVE numbers called out in the GitHub repository. These are CVEs associated with vulnerabilities that FireEye has exploits for and have been leaked alongside the other red team tools in this breach. If the software or operating systems mentioned in this file are in use in your organization, please ensure that they are patched or otherwise mitigated as soon as possible.