Introduction
Security Arsenal is tracking a significant claim by the RansomHouse threat group regarding a successful breach of Trellix's internal source code repositories. RansomHouse, an operation known for data extortion rather than traditional encryption-based ransomware, has leaked a set of images as proof of their intrusion.
For defenders, the breach of a major security vendor's source code is a critical event. While customer data wasn't the primary target in this initial claim, the exposure of proprietary source code creates a secondary risk: adversaries can now audit Trellix software for logic flaws, hardcoded credentials, or bypass techniques. This intelligence could be weaponized to develop zero-day exploits against Trellix Endpoint Security (ENS) or Network Security products currently deployed in enterprise environments.
Immediate action is required to validate the integrity of your Trellix deployments and hunt for signs of exfiltration or precursor activity within your own network.
Technical Analysis
- Affected Vendor: Trellix (result of the McAfee Enterprise and FireEye merger).
- Threat Actor: RansomHouse (known for exploiting vulnerabilities for initial access and focusing on data theft/extortion).
- Claimed Compromise: Access to Trellix source code repositories.
- Impact:
- Supply Chain Risk: Potential for future sophisticated attacks leveraging knowledge of Trellix internal code architecture.
- Bypass Potential: Adversaries may identify methods to evade EDR detection or disable agent services without triggering standard alerts.
- Attack Vector (Inferred): Source code breaches typically involve compromised credentials, misconfigured repositories (e.g., exposed Git/Perforce instances), or lateral movement from a third-party supplier. RansomHouse specifically noted "access," suggesting valid credentials or a session hijack scenario.
- Exploitation Status: The breach is confirmed (via proof images). Exploitation of the source code to create CVEs is a future risk, but the initial access vector used by RansomHouse may be active in the wild against other targets.
Detection & Response
Given the nature of this incident—a source code leak claimed by an extortion group—detection efforts must focus on two vectors: identifying the tools and tactics typically associated with RansomHouse (exfiltration) and monitoring the integrity of the Trellix agent itself (defensive evasion).
Sigma Rules
The following Sigma rules detect potential source code exfiltration behavior and suspicious termination of security services, a likely outcome if attackers leverage stolen code to bypass defenses.
---
title: Potential Source Code Exfiltration via Archiving
id: 8f4a9b1c-6e2d-4f1a-9b3c-1d2e3f4a5b6c
status: experimental
description: Detects potential exfiltration of source code through the use of archiving tools like 7-Zip or WinRAR on directories containing source code indicators (.git, src, repo). This behavior is consistent with data theft groups like RansomHouse staging stolen intellectual property.
references:
- https://www.bleepingcomputer.com/news/security/trellix-source-code-breach-claimed-by-ransomhouse-hackers/
author: Security Arsenal
date: 2024/05/21
tags:
- attack.exfiltration
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_archiver:
Image|endswith:
- '\7z.exe'
- '\winrar.exe'
- '\zip.exe'
selection_source_flags:
CommandLine|contains:
- '.git'
- '\src\'
- '\repo'
- 'source'
condition: all of selection_*
falsepositives:
- Legitimate backups by developers
level: high
---
title: Trellix Agent Service Termination
id: 9e5b0c2d-7f3e-5g2h-0c4d-2e3f4a5b6c7d
status: experimental
description: Detects attempts to stop or disable Trellix Endpoint Security services. Following a source code leak, adversaries may leverage specific knowledge to bypass tamper protection. Unusual service termination is a high-fidelity indicator of potential defense evasion.
references:
- https://www.bleepingcomputer.com/news/security/trellix-source-code-breach-claimed-by-ransomhouse-hackers/
author: Security Arsenal
date: 2024/05/21
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection_sc:
Image|endswith: '\sc.exe'
CommandLine|contains: 'stop'
selection_trellix_service:
CommandLine|contains:
- 'mfepms'
- 'macmnsvc'
- 'mfeeps'
condition: all of selection_*
falsepositives:
- Authorized administrative maintenance
level: critical
---
title: RansomHouse Data Staging Tool - Rclone
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects execution of Rclone, a tool frequently used by RansomHouse and other extortion groups for large-scale data exfiltration to cloud storage. Its presence on a workstation or server is suspicious.
references:
- https://www.bleepingcomputer.com/news/security/trellix-source-code-breach-claimed-by-ransomhouse-hackers/
author: Security Arsenal
date: 2024/05/21
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rclone.exe'
condition: selection
falsepositives:
- Authorized use by IT admins for backup
level: high
KQL (Microsoft Sentinel / Defender)
This query hunts for the combination of archive creation and high volume egress network traffic, indicative of staging and exfiltrating stolen data like source code.
// Hunt for potential source code exfiltration patterns
let ArchiveProcesses = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("7z.exe", "winrar.exe", "zip.exe", "rclone.exe")
| project DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, Timestamp;
let NetworkEgress = DeviceNetworkEvents
| where Timestamp > ago(7d)
| where ActionType == "ConnectionSuccess"
| where RemotePort in (443, 80) // Common cloud storage ports
| summarize TotalBytesSent = sum(SentBytes) by DeviceName, RemoteUrl, bin(Timestamp, 5m)
| where TotalBytesSent > 5000000 // 5MB threshold
| project DeviceName, RemoteUrl, TotalBytesSent, ExfilTimestamp=Timestamp;
ArchiveProcesses
| join NetworkEgress on DeviceName
| where Timestamp between ((ExfilTimestamp - 5m) .. (ExfilTimestamp + 5m))
| project DeviceName, AccountName, ProcessCommandLine, RemoteUrl, TotalBytesSent, Timestamp
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for the presence of common data exfiltration tools and checks for recent access to hidden git directories, which would suggest access to source code repositories.
-- Hunt for RansomHouse indicators and Source Code access
SELECT
Pid,
Name,
CommandLine,
Exe,
Username,
CreateTime
FROM pslist()
WHERE Name =~ 'rclone'
OR Name =~ '7z'
OR Name =~ 'winrar'
UNION ALL
-- Check for recent .git folder access
SELECT
FullPath,
Size,
Mtime,
Atime
FROM glob(globs='/*/.git/**')
WHERE Atime > now() - 7d
AND NOT FullPath =~ '\\AppData\\'
Remediation Script (PowerShell)
This script assists in verifying the status and configuration of Trellix services and checks for the presence of unauthorized archiving tools.
# Trellix Security Post-Check and Hardening Script
# Run as Administrator
Write-Host "[+] Starting Trellix Security Audit..." -ForegroundColor Cyan
# 1. Check Trellix Service Status
Write-Host "[*] Checking Trellix Endpoint Security Services..." -ForegroundColor Yellow
$trellixServices = @("mfepms", "macmnsvc", "mfeeps")
foreach ($svc in $trellixServices) {
$service = Get-Service -Name $svc -ErrorAction SilentlyContinue
if ($service) {
if ($service.Status -ne "Running") {
Write-Host "[!] ALERT: Service $svc is not running. Current Status: $($service.Status)" -ForegroundColor Red
} else {
Write-Host "[+] Service $svc is running normally." -ForegroundColor Green
}
}
}
# 2. Scan for common archiving/exfiltration tools in user directories
Write-Host "[*] Scanning for unauthorized archiving tools (7zip, WinRAR, Rclone)..." -ForegroundColor Yellow
$pathsToScan = @("C:\Users\", "C:\ProgramData\")
$suspiciousFiles = @()
foreach ($path in $pathsToScan) {
if (Test-Path $path) {
$results = Get-ChildItem -Path $path -Recurse -Include "7z.exe", "winrar.exe", "rclone.exe" -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime
if ($results) {
$suspiciousFiles += $results
}
}
}
if ($suspiciousFiles.Count -gt 0) {
Write-Host "[!] Found suspicious executables:" -ForegroundColor Red
$suspiciousFiles | Format-Table -AutoSize
} else {
Write-Host "[+] No common archiving tools found in user paths." -ForegroundColor Green
}
Write-Host "[+] Audit Complete." -ForegroundColor Cyan
Remediation
1. Verify Trellix Agent Integrity: Ensure all Trellix Endpoint Security (ENS) and Network Security (NS) agents are updated to the latest version. Verify that the "Tamper Protection" feature is enabled and reporting correctly to the Trellix ePO (ePolicy Orchestrator) or Trellix Endpoint Security console.
2. Credential Hygiene: If your organization utilizes Trellix products or interfaces with Trellix support portals, rotate API keys and service account credentials that may have been shared with the vendor. Assume that any credential in the vendor's possession could be at risk.
3. Restrict Repository Access: While this breach targeted Trellix, use this incident as a catalyst to audit your own source code management (SCM) systems (e.g., GitHub, GitLab, Bitbucket, Azure DevOps). Enforce IP allow-listing and require SSH keys with passphrases instead of passwords for git operations.
4. Vendor Communication: Monitor official Trellix security advisories. They will likely release guidance on whether the stolen code introduces specific vulnerabilities requiring immediate patching beyond standard updates.
5. Hunt for RansomHouse: RansomHouse typically gains initial access via exposed vulnerabilities (e.g., VPNs) or valid credentials. Conduct a review of VPN logs and Active Directory for anomalous login attempts, particularly focusing on accounts with privileged access to development or intellectual property.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.