Cybersecurity firm FireEye announced Tuesday that a sophisticated group of hackers, likely state-sponsored, broke into its network and stole tools the company’s experts developed to simulate real attackers and test the security of its customers.
New details continue to emerge daily regarding the FireEye breach. Today we learned that the breach occurred via their supply chain; more specifically SolarWind’s Orion platform.
According to the Cybersecurity and Infrastructure Agency (CISA) Emergency Directive 21-01:
SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems. Disconnecting affected devices, as described below in Required Action 2, is the only known mitigation measure currently available.
We do not know of any Armor customers or partners affected by this breach but continue to monitor the situation. Armor provides protection and detection against most of the released FireEye related threats via anti-malware, and intrusion prevention capabilities. Armor does not use any SolarWinds Orion products.
Armor recommendations:
- If you have affected SolarWinds Orion products, follow CISA’s directives for required actions immediately
- While the SolarWinds Orion backdoor may be detected under the Backdoor.MSIL.SUNBURST.A signature, many of the FireEye red team tools will be seen from the Trojan.MSIL.SHELLMA.AA or HackTool.MSIL.<Various> signature types
- Run a full malware scan on suspected hosts.
Armor is continuing its vigilance in protecting our customers and partners by monitoring the situation and updating our products consistently with new detections, intelligence, and features.