Reassuring Sophos customers following the theft of Mandiant/FireEye tools

Earlier this week, Mandiant/FireEye revealed that a highly sophisticated state-sponsored adversary stole FireEye Red Team/offensive security tools.

Use of offensive security tools is common practice in the cybersecurity industry–we use them ourselves to stress test our protection against simulated cyberattacks.

Following this breach, FireEye publicly released a set of countermeasures rules. The actual tools were not released to the public and still aren’t available for testing. Nevertheless, the security industry was able to use the information released by FireEye to collect relevant attack IOCs from other available sources.

We have verified the detection state on the attack samples available to us and initial results show that the overwhelming majority were already detected by the existing Sophos anti-malware definitions.

We have made further detection updates since the disclosure and are in the process of locating and verifying detection of any other components that may be relevant.

The top Sophos detection names associated with these tools:

  • Mal/Swrort-AE,-L
  • Troj/Rubeus-*
  • BloodHoundAD (PUA)
  • Troj/Seatbelt-A
  • Mal/Zafkat-A
  • ATK/Cobalt-A,-B,-V,-G
  • Exp/20201472-A
  • Troj/PrivEsc-*
  • ATK/PrivEsc-*
  • Troj/DocDl-ABQE
  • Troj/Agent-BGFM
  • ATK/Tlaboc-F
  • Exp/20132465-A
  • Harmony Loader (Hacktool)
  • Troj/Agent-AYZU
  • Troj/AutoG-ID

The core of the stolen toolset is focused on post-exploitation techniques. According to FireEye, the components stolen did not contain zero-day exploits. Organizations that regularly apply security patches across their estate are well prepared against the potential abuse of these tools.

We have checked the vulnerabilities mentioned in FireEye’s “countermeasure” files against Sophos’ IPS signature databases used by Sophos XG Firewall and Sophos UTM and are pleased to confirm strong coverage from the existing signature set. A subset of signatures relevant to endpoint protection is also available on the endpoint IPS.

CVE IPS Sid (Sophos XG Firewalls)
CVE-2019-0708 1190514210
CVE-2017-11774 8422
CVE-2018-15961 2300872, 1181116050
CVE-2019-19781 2301366, 52620, 2301639, 2303158
CVE-2019-3398 50169, 50170, 50168
CVE-2019-11580 In release pipeline
CVE-2018-13379 2301565, 51371, 51372, 2300726
CVE-2020-0688 2302419, 2302422
CVE-2019-11510 1190822080
CVE-2019-0604 55862, 49861
CVE-2020-10189 2302318, 2302321, 2302322, 53434, 2302053, 2302054
CVE-2019-8394 In release pipeline
CVE-2016-0167 38491, 38765
CVE-2020-1472 56290, 1200811220, 2304011, 2304013, 2304014, 2304015, 2304016, 2304017, 55802, 55704, 55703, 2303764, 2303765, 2303768, 2303769
CVE-2018-8581 1000550

Should you have any concerns around the potential use of these tools in future real attack scenarios, please speak to your Sophos representative.

In the meantime, we encourage all customers to use this incident as a timely prompt to check that your security patches are fully up to date.

As an active member of the Cyber Threat Alliance, Sophos is committed to working collectively with the cybersecurity industry to fight cybercrime. We commend FireEye for their disclosure and have reached out to their security team to share more information on the actual toolsets.

Latest Posts