FireEye Provides Update on the alleged data breach revealed late July

Late July, hackers posted details alleged stolen from a system belonging to a Senior Analyst at security firm FireEye/Mandiant. The company provides update.

Late July, hackers have posted details alleged stolen from a system belonging to Adi Peretz, a Senior Threat Intelligence Analyst at security firm FireEye/Mandiant.

The leaked archive is a 337MB PST file containing the expert’s emails. Leaked archive also includes images of its accounts, including One Drive, Live, LinkedIn, geo-tracking of personal devices for at least a year, billing records and PayPal receipts.

“In addition to that are images detailing the compromise of their One Drive account, Live account, LinkedIn account, geo-tracking of personal devices for at least a year, billing records and PayPal receipts, credentials for an engineering portal at FireEye, WebEx and JIRA portals, as well as Live and Amazon accounts. There are also records related to an alleged customer, Bank Hapoalim, and internal documentation and presentations, including one for the IDF (Israel Defense Forces) from 2016.” reported Salted Hash.

The security firm has denied any intrusion in its systems, while the hackers who published the alleged Mandiant Internal Leaks claimed it was part of the ongoing campaign #OpLeakTheAnalyst.

Today FireEye provides an update on the event following its investigation into allegations made earlier this week that FireEye had been breached. As background, on July 31,

According to the security firm, the hackers did not hack the company network or the Adi Peretz’s personal or corporate computers.

The login credentials used by Peretz were exposed in the past in numerous data breaches, including LinkedIn.

The experts discovered that the attackers started using the stolen credentials to access several of the Victim’s personal online accounts (LinkedIn, Hotmail and OneDrive accounts) in September 2016.

The documents publicly released were obtained from the Victim’s personal online accounts and many of them were already available online.

Below the list of conclusions published by FireEye in a blog post.

• The Attacker did not breach, compromise or access our corporate network, despite multiple failed attempts to do so.
• The Attacker did not breach, compromise or access the Victim’s personal or corporate computers, laptops or other devices.
• We confirmed the Victim’s passwords and/or credentials to his personal social media and email accounts were among those exposed in at least eight publicly disclosed third party breaches (including LinkedIn) dating back to 2016 and earlier.
• Starting in September 2016, the Attacker used those stolen passwords and/or credentials to access several of the Victim’s personal online accounts, including LinkedIn, Hotmail and OneDrive accounts.
• The Attacker publicly released three FireEye corporate documents, which he obtained from the Victim’s personal online accounts.
• All of the other documents released by the Attacker were previously publicly available or were screen captures created by the Attacker.
• A number of the screen captures created by the Attacker and posted online are misleading, and seem intentionally so. They falsely implied successful access to our corporate network, despite the fact that we identified only failed login attempts from the Attacker.

FireEye highlighted that the Victim supports a small number of customers, only two of them were impacted by the leak.

Below the actions conducted by FireEye:

• We contacted the two identified customers as soon as we learned of this incident and have kept them apprised of the situation throughout the week.
• We immediately contained the Victim’s systems.
• We collected and reviewed forensic data from the Victim’s systems.
• We disabled the Victim’s FireEye corporate accounts.
• We worked with the Victim to regain control of his personal online accounts.
• We worked with the Victim to secure his personal online accounts, including implementing multi-factor authentication where possible.
• We communicated to all FireEye employees, both verbally and in writing, a reminder to be vigilant and provided detailed steps to best secure their personal accounts.
• We worked with the Victim and his online third party service providers to obtain any available log data that could assist our investigation.
• We reviewed all data sent to and from FireEye email to the Victim’s online accounts.
• We reviewed authentication and access activity on the Victim’s corporate, single sign-on (SSO), multi-factor, and third-party accounts.

The investigation is still ongoing.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – FireEye, OpLeakTheAnalyst)

[adrotate banner=”5″]

[adrotate banner=”13″]