Last week Mandiant released a powerful report that exposed what certainly appears to be a state-sponsored hacking initiative from China, dubbed by Mandiant as APT1. If you haven’t already, I highly encourage you to read the full report available here. The report not only provides analysis of the organization behind the attacks, but also includes a wealth of detail into specific techniques used by the groups as well as indicators that you can use in your own security practices.
In this article I will summarize some of the key indicators as well as some of the techniques that may help you find other indicators of advanced attacks in your network.
It was certainly heartwarming to see Mandiant release a large number of very specific indicators of APT1 that security teams can put to good use. Far too often, a security vendor will report about how they uncovered a breach, but often lack the details that would help real infosec professionals to better do their job.
In this report, Mandiant has done the industry a solid by disclosing a variety of very specific indicators that they have been able to tie to APT1, including domains used by the attacking infrastructure, SSL certificates used to encrypt the attacker’s traffic, MD5 hashes of APT1 malware and a variety of other open-source “indicators of compromise”.
This provides very actionable information, but information that we all have to realize will also very short-lived. Given the sophistication of the APT1 organization, it’s quite likely that the referenced domains, hashes and certificates that were exposed have been decommissioned or will be soon. The indicators of compromise delve more deeply into the techniques of the attackers as opposed to certs and domain, which are effectively disposable.
Patterns and Techniques
Beyond the easily identifiable indicators, the Mandiant report provided insight into the lifecycle of an APT1 attack from the initial infection, escalation and ongoing theft of data.
First, as one might expect, APT1 used highly targeted spear-phishing techniques to infect a target, which included creating fake email accounts in the name of someone that the target would recognize. Secondly, the infecting files were often zipped to avoid analysis and often contained executables designed to look like pdfs.
This provides two important lessons – one technical and one practical. First, it means that when looking for advanced malware, we absolutely must look within zipped payloads. But secondly, it destroys the all-to-common idea of malware infections being the source of the “stupid user”. That’s not to say that “stupid users” don’t exist and that they don’t lead to malware infections – they certainly do on both counts. But the point is rather that highly targeted phishing can be constructed to fool even savvy well-trained users, and we can’t rely on training to solve the problem on its own. Instead, we need to proactively test and analyze content to programmatically determine if it is malicious or benign.
The report also shared that once the infection was established, the attackers would often rely on RDP (remote desktop protocol) to administer the ongoing attack. This protocol is obviously highly common on enterprise networks and allows the attacker to control the compromised machine remotely. RDP has been strongly linked to advanced attacks shared in a variety of other reports, including this year’s Verizon Data Breach Report. The lesson here is pretty clear – RDP and related protocols are one of the key tools of persistent attacks and security teams to have strict control over RDP, limiting its use to only the few users who must have it, and requiring two-factor authentication for RDP users.
APT1 also used a myriad of techniques to hide its communications with command-and-control servers. This included sharing data via HTTP, custom protocols written by the attackers, and a variety of modified protocols designed to look like normal application traffic, such as MSN Messenger, Gmail Calendar, and Jabber (a protocol used in a variety of instant messaging applications). All of these traffics were often used in conjunction with SSL to further obscure the traffic. This again highlights the need to look within SSL-encrypted traffic as well as the need to find customized traffic and unusual traffic that deviates from protocol. This is an emerging art, but certainly possible using firewalls and threat prevention solutions that finely decode network and application protocols.
Once it was time to steal data, the attackers predominantly relied on FTP. As with the infecting file, exfiltrated data was often compressed, this time mostly with RAR. FTP is very popular with malware because it is small, flexible and often allowed in networks. However, security teams should remember to closely analyze FTP and certainly take a closer look at FTP used to transport RAR files.
Learn to See What Doesn’t Belong
While the Mandiant report is incredibly illuminating, it is also not a panacea. If anything, the more we learn about sophisticated attacks the more it is obvious that security products will never be enough without security skill. Certainly, we will continue to need and use signatures and systems that can automatically block the bad things on our networks. But it is also equally clear that this alone won’t be enough. We need to actively seek out and test the unknowns in our network, whether that is anomalous traffic or unknown, potentially malicious files.
We need to know the application fingerprint of our networks and users so that we can see when something is amiss. Security is fast becoming the front-lines for enterprises and one of the most strategic roles in any organization, but it requires us to be actively and intellectually engaged. That is a daunting task, but one we can meet.