Overview
概览
A highly sophisticated state-sponsored adversary stole FireEye Red Team tools. Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them, FireEye is releasing hundreds of countermeasures with this blog post to enable the broader security community to protect themselves against these tools. We have incorporated the countermeasures in our FireEye products—and shared these countermeasures with partners, government agencies—to significantly limit the ability of the bad actor to exploit the Red Team tools.
一个高度复杂的国家支持的对手偷走了火眼红队的工具。因为我们相信敌人拥有这些工具,而且我们不知道攻击者是打算自己使用这些被盗的工具还是公开披露它们,火眼在这篇博客文章中发布了数百个对策,以使更广泛的安全社区能够保护自己免受这些工具的攻击。我们已经将这些对策纳入我们的 FireEye 产品中,并与合作伙伴、政府机构分享了这些对策,以显著限制不良分子利用“红队”工具的能力。
You can find a list of the countermeasures on the FireEye GitHub repository found HERE.
你可以在 FireEye GitHub 仓库中找到一个对策列表。
Red Team Tools and Techniques
红队工具和技术
A Red Team is a group of security professionals authorized and organized to mimic a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. Our Red Team’s objective is to improve enterprise cyber security by demonstrating the impacts of successful attacks and by showing the defenders (i.e., the Blue Team) how to counter them in an operational environment. We have been performing Red Team assessments for customers around the world for over 15 years. In that time, we have built up a set of scripts, tools, scanners, and techniques to help improve our clients’ security postures. Unfortunately, these tools were stolen by a highly sophisticated attacker.
Red Team 是一组安全专业人员,他们经过授权和组织,以模仿潜在对手针对企业安全态势的攻击或开发能力。我们的红色团队的目标是通过演示成功攻击的影响,以及向防御者(即蓝色团队)展示如何在操作环境中对抗这些攻击,从而提高企业网络安全。我们已经为世界各地的客户进行了超过15年的红队评估。在此期间,我们建立了一套脚本、工具、扫描仪和技术,以帮助改善我们客户的安全姿态。不幸的是,这些工具被一个高度复杂的攻击者偷走了。
The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. Many of the Red Team tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM.
从用于自动侦察的简单脚本到类似于 CobaltStrike 和 Metasploit 等公开可用技术的整个框架,这些被盗的工具都有。许多 Red Team 工具已经向社区发布,并且已经在我们的开源虚拟机 commandvm 中发布。
Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team.
其中一些工具是经过修改的公开可用工具,用于规避基本的安全检测机制。其他工具和框架是为我们的红色团队内部开发的。
No Zero-Day Exploits or Unknown Techniques
没有零日漏洞或未知技术
The Red Team tools stolen by the attacker did not contain zero-day exploits. The tools apply well-known and documented methods that are used by other red teams around the world. Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario.
攻击者窃取的红队工具不包含零日漏洞。这些工具应用了世界各地其他红队所使用的众所周知和有文档记录的方法。虽然我们不认为这种盗窃行为会大大提高攻击者的整体能力,但是火眼正在尽一切努力防止这种情况的发生。
It’s important to note that FireEye has not seen these tools disseminated or used by any adversaries, and we will continue to monitor for any such activity along with our security partners.
值得注意的是,火眼并没有看到这些工具被任何对手传播或使用,我们将继续与我们的安全伙伴一起监视任何此类活动。
Detections to Help the Community
侦测对社会有帮助
To empower the community to detect these tools, we are publishing countermeasures to help organizations identify these tools if they appear in the wild. In response to the theft of our Red Team tools, we have released hundreds of countermeasures for publicly available technologies like OpenIOC, Yara, Snort, and ClamAV.
为了使社区能够发现这些工具,我们正在发布对策,以帮助组织识别这些在野外出现的工具。为了应对红队工具被盗的情况,我们针对公开可用的技术,如 OpenIOC、 Yara、 Snort 和 ClamAV,发布了数百个对策。
A list of the countermeasure is available on the FireEye GitHub repository found here. We are releasing detections and will continue to update the public repository with overlapping countermeasures for host, network, and file-based indicators as we develop new or refine existing detections. In addition, we are publishing a list of CVEs that need to be addressed to limit the effectiveness of the Red Team tools on the GitHub page.
对策列表可以在 FireEye GitHub 存储库中找到。我们正在发布侦测数据,并将继续更新公共数据库,针对主机、网络和基于文件的指标采取重叠的对策,同时开发新的或改进现有的侦测数据。此外,我们还在 GitHub 页面上发布了一个需要限制 Red Team 工具有效性的 CVEs 列表。
FireEye Products Protect Customers Against These Tools
火眼产品保护客户免受这些工具的伤害
Teams across FireEye have worked to build the countermeasures to protect our customers and the broader community. We have incorporated these countermeasures into our products and shared these countermeasures with our partners, including the Department of Homeland Security, who have incorporated the countermeasures into their products to provide broad coverage for the community.
火眼公司的团队已经致力于建立对策来保护我们的客户和更广泛的社区。我们已经将这些反措施纳入我们的产品,并与我们的合作伙伴分享这些反措施,包括国土安全部,他们已经将这些反措施纳入他们的产品,为社区提供广泛的覆盖面。
More information on the detection signatures available can be found in the GitHub repository.
关于检测签名的更多信息可以在 GitHub 存储库中找到。