CEO Kevin Mandia a împărtășit câteva detalii despre modul în care compania sa a eliminat campania majoră de atac cibernetic care a afectat rețelele guvernamentale și corporative ale SUA.
CEO-ul FireEye, Kevin Mandia, a împărtășit astăzi câteva informații despre atac cibernetic asupra firmei de securitate acesta a fost primul indiciu al unei campanii de atac masive și ample împotriva mai multor rețele comerciale și guvernamentale importante ale SUA.
Într-un panel găzduit astăzi de Institutul Aspen, Mandia a descris modul în care compania sa a recunoscut pentru prima dată gravitatea atacul pe care îl suferise, describing how a newly registered phone using a FireEye user account was the first indication of malicious activity. “In this particular case, the event that got briefed to me and got us to escalate and declare this a full-blown incident was somebody was accessing our network just like we do, but they were doing it with a second registered device,” he explained. The FireEye user whose account was associated with the flagged access was contacted and asked if he had registered a new phone, but he had not.
“Even though this was a severity-zero alert” at first, Mandia said, it was evidence of a major security event. “We had somebody bypassing our two-factor authentication by registering a new device and accessing our network just like our employees do, but it actually wasn’t our employee” doing it, he said.
Detalii despre telefonul ilicit folosit în atac au fost raportat pentru prima dată de Yahoo News last month, in an interview with Charles Carmakal, senior vice president and CTO of FireEye. “They had to provide credentials to authenticate [their device] to the [multifactor authentication system] in order to authenticate to the FireEye VPN,” Carmakal told Yahoo News. “It was the process the attacker followed to enroll in the MFA solution, which is what generated the alert. But at this point, the attacker already had the employee’s username and password.”
Mandia said that method of attack was a big red flag. “The minute we saw that, we recognized that’s the kind of tradecraft advanced groups would do,” Mandia noted. No malware, and under the guise of a legitimate user, “doing exactly what your employees do when they go to work every day.”
“There’s no magical wand that … finds backdoors in software that we all purchase and trust,” he said. “What led us to do that [decompiling] work was, in fact, all of the forensics” we conducted beforehand, he says.FireEye had investigated packet captures and forensic software logs on its endpoints and found one common thread: “It kept backing into, the earliest evidence of compromise for us was the system that harbored the SolarWinds product,” he said. So, the company went to work decompiling code and found 4,000 lines of malicious code.
The attackers planted malware in legitimate updates to SolarWinds’ Orion network management software that was sent to some 18,000 public and private sector customers of the software. According to US intelligence assessments, a very small number of those organizations actually were targeted and compromised.
Atacul asupra FireEye
Stage one of the attack planted the backdoor onto FireEye’s network via the SolarWinds platform, Mandia said. Stage two used the backdoor to access domain credentials, he said, such as user accounts and passphrases. “Stage three was to get the token signing-certs to access O365, likely for specific email accounts,” Mandia said. The final stage of the FireEye attack was the theft of its red-team tools.
Mandia said he had not seen many “.com” breaches for this type of espionage, so the attack group behind this “smells different.”
În timp ce comunitatea de informații din SUA, precum și mai mulți oficiali guvernamentali și experți în securitate au citat Rusia ca făptuitor, FireEye has not done so. The company has attributed the attack to an unknown or unclassified group or nation-state. “We have not made any attribution beyond assigning this activity to UNC 2452. An UNC group, short for unclassified, is a cluster of cyber-intrusion activity — which includes observable artifacts such as adversary infrastructure, tools, and tradecraft — that we are not yet ready to give a classification such as APT or FIN,” a FireEye spokesperson said. “As we collect additional intelligence, UNC group activity can be assigned to an existing group, graduated to a new group, or simply remain unclassified.”
Kelly Jackson Higgins este editorul executiv al Dark Reading. Este o jurnalistă veterană premiată în domeniul tehnologiei și afacerilor, cu mai mult de două decenii de experiență în raportare și editare pentru diverse publicații, inclusiv Network Computing, Secure Enterprise ... Vezi Bio complet
Texte Recomandate:
Mai multe perspective
- "
- 000
- acces
- Cont
- Suplimentar
- TOATE
- APT
- Autentificare
- ușă din dos
- Negru
- încălcări
- afaceri
- Campanie
- CEO
- Charles
- clasificare
- cod
- comercial
- Comun
- comunitate
- companie
- tehnica de calcul
- scrisori de acreditare
- CTO
- clienţii care
- Atac cibernetic
- zi
- descoperire
- de angajați
- Afacere
- spionaj
- eveniment
- executiv
- experți
- descoperiri
- First
- Complet
- Guvern
- grup
- Cum
- HTTPS
- Inclusiv
- Infrastructură
- Inteligență
- Interviu
- IT
- ziarist
- Led
- major
- malware
- administrare
- AMF
- reţea
- rețele
- ştiri
- comandă
- Parolă
- platformă
- preşedinte
- privat
- Produs
- public
- Publicații
- cumpărare
- Citind
- securitate
- comun
- Pantaloni scurți
- mic
- So
- Software
- Purtatorul de cuvant al
- Etapă
- sistem
- Tehnologia
- furt
- semn
- Încredere
- actualizări
- us
- guvernul SUA
- veteran
- Vicepreședinte
- VPN
- baghetă
- Apartamente
- Yahoo