Read on Twitter
Since others are allowed to throw their theories around on how fireye got popped, here's mine. You know that VMware advisory that was posted a few days ago?
https://www.vmware.com/security/advisories/VMSA-2020-0027.html
The one that was tied to this NSA advisory?
https://media.defense.gov/2020/Dec/07/2002547071/-1/-1/0/CSA_VMWARE%20ACCESS_U_OO_195076_20.PDF
https://www.vmware.com/security/advisories/VMSA-2020-0027.html
The one that was tied to this NSA advisory?
https://media.defense.gov/2020/Dec/07/2002547071/-1/-1/0/CSA_VMWARE%20ACCESS_U_OO_195076_20.PDF
I'm willing to bet it was a third party that got compromised. @Viss pointed out that fireye doesn't have much in the way of public attack surface, or if they do, there's shell companies and way too much Jason Bourne involved.
The vulnerability specifically states that its a post-auth command injection. Whats even more fun is that the NSA tells you what the actors do after exploiting the vulnerability.
Fireeye, iSight partners, and Mandiant are all under one roof. All it takes is one fuck-up and one working set of creds, trigger the command injection, drop a webshell, escalate privs, go do the things.
The actors get discovered, its suspected that had their hands in the red team's cookie jar, and rather than waiting for "shadowbrokers" to dump a bunch of retooled projects.
in reality, a lot of Fireeye's stuff is a bunch of Csharp tools, and quite a few things that are just community projects. All the yara rules they dumped have an "MD5" metadata tag. You can search the hash on VT. A lot of them don't have results, but some of them do.
so rather than let shadowbrokers have a field day, and shitpost in really bad broken english, nip it in the bud immediately, show goodwill to the community, and use it as an opportunity to re-tool red team operations.
I have a feeling that the actors weren't using fireeye's redteam tools. I'm sure that they probably have retrohunt rules or some shit on VT to see when and if their tools got burned on engagements or something. OR maybe that was the first clue that they got popped. I dunno.
As for what the Russians were after? Who knows? Again, I don't but I can offer a couple of motivation theories.
anyone remember duqu 2? Actors went for the fucking through. They went straight at kaspersky. and what's more is that they were mildly successful for a time. What better way to know when your enemy knows what you're doing than keeping tabs on them yourself?
another possible motivation is "third party collection". I've seen this personally before . Anyone remember opcleaver? It was a while back. Like, years ago. Anyhow, I was learning how to google whack with friends.
and I found an anonymous FTP server that had like, a fuckload of http://ASP.net shells, encrypted zip files, and well, a few of them that weren't encrypted. I submitted the FTP server to the service provider and submitted an abuse ticket. I figured it was just skids.
as it turns out, one of the victims was the kuwaiti national oil company. I figured this out when I looked at one of the zipped file. and found network diagrams ldap information, and deployment data for a microsoft security deployment of some sort.
Microsoft mapped the KNOC's network for them. and the bad guys just collected. Now, before any of you get scared shitless about any of this, I escalated this to an authority above my paygrade when I found "loot" from a target network. I gave it to the FBI.
and suddenly, weeks later, the opcleaver report came out, mentioning open FTP servers from the same hosting provider.
What's the point of all this? Sometimes, third parties know a bunch of shit about networks or a targets of interest that actors actually want access to.
What's the point of all this? Sometimes, third parties know a bunch of shit about networks or a targets of interest that actors actually want access to.
We've seen this before in some way shape or form. Watering hole attacks, or even in the case of target, an HVAC monitoring service that was owned and pivoted from to get access to customers, and then again with cloud atlas targeting SOCs to get to specific targets.
Its highly likely that fire eye has network deployment information for a BUNCH of targets that the actor would be interested in. Imagine having access to pentest reports and/or deployment information for pro service engagements. Imagine having netmaps w/o lifting a finger.
so it boils down to two motivations so far: Keeping tabs on your enemy, and/or third party collection for other targets of opportunity. Note that these motives are NOT mutually exclusive.
Then there's just the motive of hacking what is considered to be an elite rival and leaking their tools everywhere so as to make them useless. Other nation-states have to deal with burned infrastructure all the time, Why not have fireye suffer a loss this time. I mean, sure.
but I don't see this being a major motivation for a nation-state attacker. These were tools for fireeye's red team. Its not like this was a rival nation-state they had to care about. If it was me, and the red team tools were there and it presented next to no risk to grab them...
sure, I'd get them if I were a saavy nation-state. Because they can be re-purposed, or they could be used for misdirection. Using someone else's tools to make attacks not match your TTPs. Otherwise, no, its not worth it.
If I had to put money on any of these being a definitive motivating factor, I would be betting on third-party collection to open up access to additional targets. But that's my two cents. Can't wait for the after-action report to see how much they actually reveal.
