
Datto has created a free scanner for MSPs that can search their networks signs of the stolen FireEye tools used by hackers to carve through network security in the sprawling SolarWinds breach.
Datto partners can get the download through the Norwalk, Conn.-based company’s ComStore, but Datto also made a script available that can be used with any RMM (Remote Monitoring and Management) tool “to help the larger community prevent and detect actors” who have used the stolen tools.
“Now is a time to remain vigilant and take an active role in hardening systems against these, now known, tactics,” Datto Chief Information Security Officer Ryan Weeks wrote in a blog post announcing the scanner. “Implement preventative and preparatory measures like enabling two-factor authentication, assessing your environment for the CVEs leveraged by the FireEye tools, asking your key vendors if they used the vulnerable software, implementing the FireEye suggested monitoring, and creating a cyber resiliency plan.”
The FireEye Red Team Countermeasure Scanner uses the detection methods that FireEye has published to see if any of the stolen tools that hackers have used are present on systems MSPs manage. The download uses the YARA scanner by VirusTotal and scans executable files on Windows systems to see if any of FireEye Red Teams’ stolen tools are present, and provides the location of where the tool was detected.
“The stolen tools range from simple scripts used for automating reconnaissance to entire penetration testing frameworks similar to those from CobaltStrike and Metasploit,” Weeks wrote. “According to the New York Times, the FireEye tools are ‘designed to replicate the most sophisticated hacking tools in the world.’ FireEye uses the tools to look for vulnerabilities in their clients’ systems. The hackers stole FireEye Red Team assessment tools from a closely guarded digital vault.”
If an MSP receives a positive hit during the scan, Weeks urged them to contact a qualified incident response team to investigate the presence of a possible attacker.
The hack is behind breaches into some of the most sensitive U.S. Government agencies including the U.S. Treasury Department, the IRS, and the Nuclear Security Administration. It has also ensnared Microsoft as state sponsored hackers reportedly had access to the company’s email for months.
SolarWinds MSP – which has planned a spin-out since October – told its MSP customers yesterday that it was revoking the digital certificates for all of its products as a precaution, and giving partners new certificates.
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

EPOS
EPOS

Fujifilm
Fujifilm

Dell Technologies
Dell Technologies Storage Learning Center

Mimecast
Mimecast

Carbonite
Cloud Storage 360

Application Integration 360

Hitachi Vantara
Hitachi Vantara

Dell Technologies
Dell Technologies Cloud Learning Center

Tenable
Cyber Risk 360

Webroot
Webroot Learning Center

NPD
Industry Trends 360

BlackBerry
BlackBerry Learning Center

Symantec
Symantec Business Security Learning Center

Sherweb
Sherweb

Acer
Remote Workforce 360

APC by Schneider Electric
Digital Services for Edge Learning Center

Channel Chief Showcase

StorageCraft
Disaster Recovery Learning Center

Vertiv
Edge Computing Learning Center

Wasabi
Wasabi

Dell Technologies
Dell Technologies Hybrid Cloud Learning Center

Cradlepoint
5g for Business 360

Comm100
Collaboration & Communications 360

Veeam
Veeam

Smart 3rd Party
3rd Party Maintenance 360

Sophos
Sophos Cybersecurity Learning Center

Trend Micro
Trend Micro Learning Center

VMware

HubStor
Cloud Backup 360

eSentire
Managed Detection and Response 360

Comcast Business
Comcast Business Learning Center
