Last week, Mandiant published a report identifying a working group executing sophisticated, long-term attacks against targets in the United States. If you want to see if your network is the target of such attacks, follow the instructions below to update your sensor(s).

Add Packet Stash’s FQDN Snort Rules

APT-1 uses at least 3,000 known FQDNs (Fully Qualified Domain Names) to deliver its payloads (see the Mandiant report for more details on how APT-1′s backdoor software works). Packet Stash quickly followed up on the Mandiant data release with a ruleset containing the FQDNs used in these attacks, and then released this ruleset under the GNU General Public License. These rules are a good first step for identifying known APT-1 attack vectors.

To merge the Packet Stash APT-1 FQDN Rules into your ruleset, do the following steps

1. Download the PacketStash ruleset from https://github.com/packetstash/packetstash-rules/blob/master/APT1/apt1.rules.
2. Log in on https://nsm.metaflows.com. Click on the Rules item on the top menu. If you have multiple sensors in your domain, you will be asked to select the sensor you want to modify.
3. Click on Merge Rules in the middle of the secondary menu for the Rules page.
   

   Open the Rules editor and select "Merge Rules".

4. Select the file with the rules you saved in Step 1.
   

   Select the file containing the rules you want to merge.

5. After the rules file finishes uploading, click on the “Save” button on the secondary menu for the Rules page. When the rules finish saving, click the “Close” button.
   

   Save the sensor

6. The Rules page will reload. After the page reloads, a text panel will appear in the upper-right corner with the buttons “Reload” and “Not Now”. Clicking “Reload” will make the sensor software restart and reload the new Snort Rules. Clicking “Not Now” will cause the sensor to not reload.
   

   Reload the sensor so that it has the latest rules.

Add the MetaFlows APT-1 IP Addresses Classification

APT-1 also uses a known range of IP addresses comprising at least 40 Class B networks (see Table 8 on page 40 of the Mandiant report for the list). One other step MetaFlows customers can take to identify potential APT-1 attack vectors is to leverage our existing Classification tools to identify flows to or from the addresses in these networks. To do this, do the following steps:

1. Log in to your MetaFlows account at https://nsm.metaflows.com.
2. After you log in, download the APT-1 IP Addresses classification file.
3. Enter the Real Time or Historical view. Click on the Classifications icon on the bottom menu bar. This will open the classifications list. Click the Classification Import icon at the top of this window. Select the apt1ips.json classification file you downloaded in Step 2.
   

   List of all available views.

4. Once the classification file is uploaded, the Edit Classification window will open. You can modify the classification further with other markers available from Mandiant, or you can just click “Save Classification” at the top of the page to use the classification as-is. The classification will be imported into your existing classifications and you can start using it to identify any addresses from the known APT-1 networks by filtering Real Time and Historical data with the classification, which will be listed under the Mandiant APT-1 classification category.
   

   Classification editor.

   

   Select the classification on the secondary menu at the top to view matching events.

We have discovered several APT-1 hosts acting on our global network of honeypots with this classification, so it is feasible that our customers could be experiencing attacks involving these addresses as well. If you have any comments, questions, or suggestions, please contact us at support@metaflows.com.

1. Go to https://github.com/packetstash/packetstash-rules/blob/master/APT1/apt1.rules and save the rules on your desktop
2. Login into nsm.metaflows.com. Click on Rules on the top menu, then click on Merge Rules in the middle of the top menu.
3. Upload the rules you saved in step 1
4. Click on Save Rules
5. Click Ok
6. Click on restart sensor

Real Time File transmission Logging

By default, all dangerous file transmissions (exe, dll, MS Office, pdf, zip, etc.) are logged and correlated whether or not they are malicious. This allows you to see what content your users are downloading or uploading (these informational messages can be disabled if this is too much information for you). See the screenshot below where several file transfers are logged.

File Transmission Logging

Real Time File Scanning

Importantly, the files that contain malicious code as reported by Virus Total are ranked 100 and flagged as high-priority events for your analysis. Usually, any of these events need to be taken very seriously and appropriate remediation should be taken quickly. See the screenshot below where Snort events and File-inbound events are correlated to show you an ongoing infection.

Malicious file transfers have a ranking of 100 and a report URL lets you see why they are infected. The events are correlated with the IDS events to let you see how everything fits together.

In order to access this great new feature:

1. Go to your Sensor Configuration page
2. Enable the File Monitoring plugin by clicking on the check box labeled “File Monitoring” toward the bottom of the page
3. Enter an optional Virus Total Key (if you do not have one, we highly recommend registering with Virus Total and obtaining a free key at https://www.virustotal.com/)
4. Save the sensor configuration
5. Execute /nsm/etc/mss.sh restart on your sensor

Current customers will receive this update automatically when their sensor is restarted/reloaded, and it will be bundled into the installation package for all new deployments.

Next time you restart your sensor you will see a message indicating some commands to execute; just cut and paste the commands on the command line to perform the upgrade.

Happy hunting!