Breach Response , Data Breach , ID & Access Management

FireEye's Post Mortem: Analyst Didn't Change Passwords

Mandiant Analyst's Personal Credentials Were Scattered All Over the Web
FireEye's Post Mortem: Analyst Didn't Change Passwords

It's a red-faced moment for FireEye. On Monday, the company released a post mortem of an attack directed against an analyst who works for its Mandiant investigations unit.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

The broad lesson from FireEye's recounting of the attack is startling and clear: Even one of the most prominent cybersecurity companies has trouble ensuring its employees follow the most pedestrian security advice for their personal online accounts.

The attackers - a group calling itself 31337 - did not breach the company's corporate network or the analyst's computers but instead several of his personal online accounts, FireEye says. But 31337 did find and release three corporate documents from those accounts. FireEye has notified the two affected customers (see Hacker Group 31337 Dumps Data Stolen From Mandiant Analyst).

The breach illustrates a widely known risk: employees using personal accounts for work-related business. The security of those documents and information is then dependent on the security practices of the user, which may not meet the standards required on a corporate network.

But the inappropriate use of personal accounts is difficult to stop. Users often lean toward convenience over security when trying to get work done.

"We communicated to all FireEye employees, both verbally and in writing, a reminder to be vigilant and provided detailed steps to best secure their personal accounts," writes Steven Booth, FireEye's vice president and chief security officer, in a blog post.

The company says it is still investigating the breach, although it doesn't expect any "significant new discoveries."

Operation LeakTheAnalyst

The attack came to light around July 31, when the hacking group began posting data on Pastebin, the online bulletin board favored for anonymous dumps of information.

The group released a 32 MB file titled "Mandiant Leak: Op. #LeakTheAnalyst." It claimed the data came from Adi Peretz, a senior threat intelligence analyst at FireEye's Mandiant consulting services unit. FireEye's blog post did not name Peretz and instead refers to him as a victim.

The group also claimed to have network topology information for FireEye's malware analysis lab along with details on FireEye contracts and licenses. It also obtained some of Peretz's personal and business emails. Peretz's LinkedIn account was defaced, and the hackers claimed it had compromised his Outlook.com account.

Some of what the hackers claimed turned out to be true. The investigation found that several of Peretz's personal accounts were compromised, including LinkedIn, Hotmail and OneDrive accounts.

A deeper probe found out why: Peretz was one of tens of millions of victims of massive data breaches over the past few years. FireEye writes that his login credentials for his social media and email accounts were exposed in "eight publicly disclosed third-party breaches," including LinkedIn. The hacking group started accessing his accounts last September.

Last year, many prominent online companies, including Yahoo, LinkedIn, Dropbox and more, discovered their systems had been pilfered of login credentials from attacks that in some cases occurred years ago (see 'Historical Mega Breaches' Continue: Tumblr Hacked).

That data has been circulating in the cybercriminal underground and has fueled what are known as "credential stuffing" attacks, where the leaked credentials are recycled in an attempt to take over accounts (see Here Are 306 Million Passwords You Should Never Use).

Some of 31337's other claims and documents turned out to be bogus. Other documents and screen captures that were released consisted of either already-public information or images fabricated by the attackers, FireEye says.

Security Workover

Peretz's online security posture has since been given a thorough workover, something he might not have ever expected to happen from his own company.

Booth writes that FireEye disabled his corporate accounts and also helped him regain control of his compromised accounts. "We worked with the victim to secure his personal online accounts, including implementing multifactor authentication where possible," Booth writes.

Two-factor authentication can often prevent an attacker from accessing an account even with valid login credentials. It usually involves entering a time-sensitive passcode generated by either an application or sent over SMS, although the latter distribution method is falling out of favor due to security concerns.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network