Mandiant Report Sensor Update

Last week, Mandiant published a report identifying a working group executing sophisticated, long-term attacks against targets in the United States. If you want to see if your network is the target of such attacks, follow the instructions below to update your sensor(s).

Add Packet Stash’s FQDN Snort Rules

APT-1 uses at least 3,000 known FQDNs (Fully Qualified Domain Names) to deliver its payloads (see the Mandiant report for more details on how APT-1’s backdoor software works). Packet Stash quickly followed up on the Mandiant data release with a ruleset containing the FQDNs used in these attacks, and then released this ruleset under the GNU General Public License. These rules are a good first step for identifying known APT-1 attack vectors.

To merge the Packet Stash APT-1 FQDN Rules into your ruleset, do the following steps

  1. Download the PacketStash ruleset from https://github.com/packetstash/packetstash-rules/blob/master/APT1/apt1.rules.
  2. Log in on https://nsm.metaflows.com. Click on the Rules item on the top menu. If you have multiple sensors in your domain, you will be asked to select the sensor you want to modify.
  3. Click on Merge Rules in the middle of the secondary menu for the Rules page.

    Open the Rules editor and select "Merge Rules".
  4. Select the file with the rules you saved in Step 1.

    Select the file containing the rules you want to merge.
  5. After the rules file finishes uploading, click on the “Save” button on the secondary menu for the Rules page. When the rules finish saving, click the “Close” button.

    Save the sensor
  6. The Rules page will reload. After the page reloads, a text panel will appear in the upper-right corner with the buttons “Reload” and “Not Now”. Clicking “Reload” will make the sensor software restart and reload the new Snort Rules. Clicking “Not Now” will cause the sensor to not reload.

    Reload the sensor so that it has the latest rules.

 

Add the MetaFlows APT-1 IP Addresses Classification

APT-1 also uses a known range of IP addresses comprising at least 40 Class B networks (see Table 8 on page 40 of the Mandiant report for the list). One other step MetaFlows customers can take to identify potential APT-1 attack vectors is to leverage our existing Classification tools to identify flows to or from the addresses in these networks. To do this, do the following steps:

  1. Log in to your MetaFlows account at https://nsm.metaflows.com.
  2. After you log in, download the APT-1 IP Addresses classification file.
  3. Enter the Real Time or Historical view. Click on the Classifications icon on the bottom menu bar. This will open the classifications list. Click the Classification Import icon at the top of this window. Select the apt1ips.json classification file you downloaded in Step 2.

    List of all available views.
  4. Once the classification file is uploaded, the Edit Classification window will open. You can modify the classification further with other markers available from Mandiant, or you can just click “Save Classification” at the top of the page to use the classification as-is. The classification will be imported into your existing classifications and you can start using it to identify any addresses from the known APT-1 networks by filtering Real Time and Historical data with the classification, which will be listed under the Mandiant APT-1 classification category.
    Classification editor.

    Select the classification on the secondary menu at the top to view matching events.

We have discovered several APT-1 hosts acting on our global network of honeypots with this classification, so it is feasible that our customers could be experiencing attacks involving these addresses as well. If you have any comments, questions, or suggestions, please contact us at support@metaflows.com.

Happy hunting!
The MetaFlows Team.

 

Leave a Reply

Your email address will not be published. Required fields are marked *