Free offering will find whether cybersecurity tools stolen from FireEye are being used on systems partners are managing
Datto is offering MSPs a scanning tool that can tell them if any of the technology stolen from cybersecurity firm FireEye during the high-profile cyberattack, allegedly by Russian state-sponsored agents, is being used on systems they manage.
The Lowdown: The new tool from Datto, which makes cloud-based technology that MSPs can sell to SMBs, comes as the federal government and private companies are still assessing the reach and damage of the attack implemented through malware injected into a network management product from SolarWinds.
The Details: FireEye earlier this month uncovered the attack after reporting that it was attacked by a nation-state actor and that tools that it had developed and were being used by its own security teams had been stolen. The tools range from simple scripts to penetration testing frameworks and were used by FireEye to search for vulnerabilities in customer systems. FireEye detailed methods for detecting malicious use of the tools.
Datto’s new FireEye Red Team Countermeasure Scanner uses the detection methods published by FireEye, enabling MSPs to detect indicators that the stolen tools are being used or have been used on managed systems.
The scanner uses the YARA open-source scanning tool by VirusTotal, along with published countermeasure files from FireEye, Ryan Weeks, Datto’s chief information security officer, wrote in a blog post. The Datto offering scans executable files on Windows systems to detect the presence of the tools stolen from FireEye’s Red Team and identifies where the stolen tool is located.
MSPs that detect any of the stolen tools should work with an incident response firm to help them investigate the situation, Weeks wrote.
The scanner is available for free to Datta remote monitoring and management (RMM) partners on the ComStore. The Norwalk, Connecticut-based company also is offering a script that can be used along with any RMM tool to help the other firms prevent and detect bad actors that are leveraging the stolen FireEye tools.
The Impact: The wide-ranging supply chain attack began when state-sponsored agents injected malicious code into updates of SolarWinds’ Orion platform. Organizations that applied those updates – issued in March and June – exposed themselves to malware dubbed Sunburst.
The extent of the exposure is still being determined. SolarWinds believes about 18,000 of its 300,000 Orion customers downloaded versions of the Orion platform containing the malware. A range of U.S. government agencies – including the State, Treasury, and Commerce departments, the Department of Homeland Security, the Pentagon, and National Institutes for Health – were among those detecting the Sunburst malware. The list of private companies – including tech companies Microsoft, SAP, Intel, Nvidia, Check Point, and Fujitsu – also have been impacted, though it’s still being determined how much damage was done.
U.S. government officials have said that Russia was the likely perpetrator of the attack, though Russian officials have denied involvement.
The Buzz: “Now is a time to remain vigilant and take an active role in hardening systems against these now known tactics,” Weeks wrote. “Implement preventative and preparatory measures like enabling two-factor authentication (2FA), assessing your environment for the CVEs [common vulnerabilities and exposures] leveraged by the FireEye tools, asking your key vendors if they used the vulnerable software, implementing the FireEye suggested monitoring, and creating a cyber resiliency plan.”