August Ransomware Recap: Sixth Month in a Row with YoY Increase
It didn’t feel like it, but some ransomware groups took a summer break. Here’s what you need to...
What cyber insurance brokers and policyholders should (and shouldn't) take away from this week's biggest cybersecurity story.
The cybersecurity world was alerted yesterday to the news that FireEye, a well-known firm that helps organizations with cyber security and incident response, has been hacked and that tools they’ve developed were stolen. By drawing comparisons to the April 2017 public release of the NSA’s Eternal Blue exploit tools, initial reporting implied that the tools, now in the hands of the bad guys, may lower the barrier to attacks and present new risks.
In reality, there are some key differences between this situation and the NSA hack that are worth noting.
The tools that were taken from FireEye were “red team tools” used to approach clients’ systems adversarially, simulating how sophisticated bad actors would plan and execute an attack based on vulnerable software or configurations of that clients’ environment. Such tools being in the hands of the wrong people sounds scary. However, these are not purpose-built, novel digital weapons like the ones the NSA develops. FireEye’s “arsenal” would have been developed through years of observing the tools, tactics and protocols used by bad actors against FireEye’s clients. True, FireEye may have unique and sophisticated versions of these tools that were in some way different from what was known more widely already, but nothing revealed has been totally groundbreaking.
Given the firm’s quick and comprehensive response, FireEye was clearly prepared for this eventuality -- evidence of a “not if, but when” attitude. Since FireEye has made a name for itself by tracking down and outing the actors behind major hacks and helping clients protect themselves, it makes sense that they saw themselves as a major target. FireEye released a detailed listing of their tools and targeted vulnerabilities on Github to allow any security team to examine its own systems and ensure they are protected. (See below for a list of CVEs that should be prioritized as a result of the hack).
The details the firm released about its tools prove one thing above all: regular lifecycle and vulnerability management is important. The list of critical CVEs with the most potential impact from the tools being used by bad actors (below) looks extensive, but any company that has good cyber hygiene should have patched or otherwise remediated these risks already. Some of them have been identified for over six years; there are no new “zero day” vulnerabilities described (risks that are identified but for which the vendor has not created a patch or other temporary remediation). Rather than a completely new and dangerous set of risks for organizations to worry about, this is a matter of refocusing on the fundamentals of vulnerability management, patch management and general vigilance.
The biggest story of this episode may end up being about FireEye itself: their “secret sauce” has been exposed and their reputation and revenue threatened. How the firm proceeds will be an interesting case study. But that’s for later rumination. Right now, the takeaway for any organization is this: take a breath, check against the vulnerabilities that FireEye identifies, and consider improving your vulnerability management, patching and software lifecycle management if there are any gaps revealed by the exercise.
This is a recommended order and customers may make their own priorities based on their unique environments. If you are a Corvus policyholder or have a client with a Corvus policy and need additional assistance, contact services@corvusinsurance.com to schedule a call with our CISO.
It didn’t feel like it, but some ransomware groups took a summer break. Here’s what you need to...
For the fifth month in a row, more than 300 global victims were posted to ransomware leak sites. In...
Today, organizations face an evolving range of cyber threats, from data breaches to ransomware...