With the new information and developments released by FireEye, we have published a new blog post that provides an update on the mitigations and action plans we put in place in response to the FireEye red team tools breach and further actions Trustwave is taking as a result of the SolarWinds Orion platform compromise / SUNBURST malware discovery. Please reference this new blog post.
We wanted to share the plans and procedures we’ve put in place in response to the FireEye breach that was made public this week.
As you may be aware, FireEye has explicitly stated that malicious attackers have stolen red team tools, both open-source and FireEye developed, which are commonly utilized for ethical hacking engagements. We commend FireEye for being transparent in their disclosure of the breach and countermeasures in an effort to ensure the security of other organizations across the world.
At this time, there is no evidence or reason to believe that the FireEye breach or the theft of the red teaming tools has impacted any Trustwave customers or partners.
FireEye has also indicated that the attackers attempted to access information on internal systems related to “government customers” specifically, but there has been no evidence of data exfiltration from the affected systems. Additional investigation and adherence to responsible and legally required disclosure policies by FireEye will be required in order for a client-specific impact from these events to be further determined. Until additional disclosures are made to the public, the tactics, techniques and procedures (TTPs) of the threat actor(s) responsible for the breach and indicators of compromise remain unknown.
We are diligently monitoring the situation, and when/if those additional details are released, we will immediately update our signatures and actively monitor and detect any indication of the threat actor(s) within our customers’ assets.
More Security Actions Taking Place:
- Trustwave Secure Email Gateway (SEG) customers are slated to receive an update early next week to detect the stolen red teaming tools, should they be sent over email.
- SNORT signatures are also slated to be added early next week to Trustwave IDS devices for detecting typical traffic from these tools.
- Trustwave is continuously monitoring for the unauthorized usage of the stolen FireEye toolsets within our managed customer environments across geographies.
Trustwave will continue to be transparent, vigilant and collaborative with the security community to protect organizations from any malicious actors that may attempt to utilize these tools.