Here in Israel there were two security breaches that made big headlines over the last couple weeks. The first was a an ongoing ransomware attack on an Israeli insurance company (Shirbit) the other the breach of FireEye (a security company that claims to knows more about cyber security than anyone).
One thing that both have in common is the number of security analysts engaging in SWAG (scientific wild ass guesses) about the attacks. It is interesting that well known security pundits are using SWAG as the starting point – and then doing critical analysis based on that guess (very similar to using precision to cover a lack of accuracy as I pointed out in a previous post). For example, I read one analysis about the Shirbit attack that claims the cause was an unpatched vulnerability, while another claimed the cause was stolen credentials of a former employee. Personally, I am certain that it is one those, or something else.
Another thing they have in common is that even though not much damage was done and no unusual methods were used – the claim is that the attacks were executed by nation states and not every day cyber criminals. Not that it matters but I am guessing this is to cover the embarrassment of being attacked by everyday criminals using everyday tools even though the overwhelming number attacks are caused by known techniques and procedures. These attacks once again showing the value, and difficulty, of good cyber hygiene and process integrity.
There was another interesting fact about the FireEye attack – the attackers stole a repository of red team tools. As I wrote in previous posts (Red, White and Blue Cybersecurity Risks and Red, White and Blue Make Purple) , purple teams (which include red teams) are a very valuable tools for cybersecurity – but I didn’t expect anyone to go out and actually steal them…
P.S. There are claims out there that the tools stolen are mostly open source and not developed by FireEye – so there really was no need to go to all the trouble of stealing them. For example:
- G2JS (https://github.com/med0x2e/GadgetToJScript)
- Several Impacket tools that were obfuscated (https://github.com/SecureAuthCorp/impacket)
- InveighZero (https://github.com/Kevin-Robertson/InveighZero / https://github.com/Kevin-Robertson/Inveigh)
- SafetyKatz (https://github.com/GhostPack/SafetyKatz)
- Rubeus (https://github.com/GhostPack/Rubeus)
- AndrewSpecial (https://github.com/hoangprod/AndrewSpecial)
- KeeFarce (https://github.com/denandz/KeeFarce)
- SharpZeroLogon (https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon)