Return to Blog

December 17, 2020

FireEye Breach: Countermeasure Scanner Available for MSP RMM Tools

By Ryan Weeks

Remote Monitoring & Management (RMM) Cyber Security

FireEye, a California-based cyber security firm that provides businesses with hardware and software tools to detect malware, was infiltrated by highly-sophisticated state-sponsored adversaries last week.

The stolen tools range from simple scripts used for automating reconnaissance to entire penetration testing frameworks similar to those from CobaltStrike and Metasploit. According to the New York Times, the FireEye tools are “designed to replicate the most sophisticated hacking tools in the world.” FireEye uses the tools to look for vulnerabilities in their clients’ systems. The hackers stole FireEye Red Team assessment tools from a closely guarded digital vault.

FireEye quickly published methods to detect malicious use of the tools.

What This Means for Datto Partners and MSPs

Datto has created a FireEye Red Team Countermeasure Scanner that leverages the FireEye published detection methods. MSPs can use the scanner to detect indicators that the stolen tools are being, or have been, used on managed systems.

The FireEye Red Team Countermeasure Scanner:

  • Utilises the YARA scanning tool by VirusTotal alongside published countermeasures files from FireEye
  • Scans executable files on Windows systems for the presence of FireEye Red Team’s stolen tools
  • Identifies where the stolen FireEye tool is located if detected

If you have a detection that you believe to be a true positive, we suggest you work with a qualified incident response firm to aid you in conducting an investigation into the potential presence of a threat actor.

The FireEye Red Team Countermeasure Scanner is currently available free of charge to Datto RMM partners on the ComStore. Additionally, Datto has made available a script that can be used in conjunction with any RMM to help the larger community prevent and detect threat actors misusing these stolen tools.

Now is a time to remain vigilant and take an active role in hardening systems against these, now known, tactics. Implement preventative and preparatory measures like enabling two-factor authentication (2FA), assessing your environment for the CVEs leveraged by the FireEye tools, asking your key vendors if they used the vulnerable software, implementing the FireEye suggested monitoring, and creating a cyber resiliency plan.

Related
Datto RMM Product Innovations Update Q2'23
Datto RMM Product Innovations Update Q2'23

From launches to integrations, this on-demand webinar is full of useful content and demos. In this video, we'll be highlighting all the latest (and soon to come!) product innovations from your Datto RMM team.

 Unified Platform Video Success Story
Unified Platform Video Success Story

Hear the real dollars and cents from 4 MSPs who talk about the real-world, material efficiency gains and time savings they have experienced since integrating Autotask PSA and Datto RMM.
Want to learn how Datto can help with Remote Monitoring & Management (RMM)?
Learn More

[eBook] RMM & Patch Management: The First Line of Defense Against Cyberthreats

Check out this eBook to learn how to approach your client security engagements and provide tactical measures to secure your clients’ IT environment.

View the Resource
Suggested Next Reads