Datto has created a free scanner for MSPs that can search their networks signs of the stolen FireEye tools used by hackers to carve through network security in the sprawling SolarWinds breach.
Datto partners can get the download through the Norwalk, Conn.-based company’s ComStore, but Datto also made a script available that can be used with any RMM (Remote Monitoring and Management) tool “to help the larger community prevent and detect actors” who have used the stolen tools.
“Now is a time to remain vigilant and take an active role in hardening systems against these, now known, tactics,” Datto Chief Information Security Officer Ryan Weeks wrote in a blog post announcing the scanner. “Implement preventative and preparatory measures like enabling two-factor authentication, assessing your environment for the CVEs leveraged by the FireEye tools, asking your key vendors if they used the vulnerable software, implementing the FireEye suggested monitoring, and creating a cyber resiliency plan.”
The FireEye Red Team Countermeasure Scanner uses the detection methods that FireEye has published to see if any of the stolen tools that hackers have used are present on systems MSPs manage. The download uses the YARA scanner by VirusTotal and scans executable files on Windows systems to see if any of FireEye Red Teams’ stolen tools are present, and provides the location of where the tool was detected.
“The stolen tools range from simple scripts used for automating reconnaissance to entire penetration testing frameworks similar to those from CobaltStrike and Metasploit,” Weeks wrote. “According to the New York Times, the FireEye tools are ‘designed to replicate the most sophisticated hacking tools in the world.’ FireEye uses the tools to look for vulnerabilities in their clients’ systems. The hackers stole FireEye Red Team assessment tools from a closely guarded digital vault.”
If an MSP receives a positive hit during the scan, Weeks urged them to contact a qualified incident response team to investigate the presence of a possible attacker.
The hack is behind breaches into some of the most sensitive U.S. Government agencies including the U.S. Treasury Department, the IRS, and the Nuclear Security Administration. It has also ensnared Microsoft as state sponsored hackers reportedly had access to the company’s email for months.
SolarWinds MSP – which has planned a spin-out since October – told its MSP customers yesterday that it was revoking the digital certificates for all of its products as a precaution, and giving partners new certificates.
related stories
Video
