Today, Virginia based cyber-security firm MANDIANT released a 60+ page intelligence report describing an Advanced Persistent Threat (APT) actor named APT-1 (others familiar with the group may know them as WebC2).
This report is unprecedented in its fidelity, and we recommend any security practitioner that believes they are being targeted by this specific actor, or any advanced attacker, to read it to completion as soon as possible.
This report contains several key details on how APT-1 compromises its victims, pivots throughout their infrastructure, and eventually exfiltrates coveted intellectual property. MANDIANT has described these tools and tactics in sufficient-enough detail where we have been able to write many high-fidelity indicators suitable for use in an incident detection system (IDS).
After reviewing and processing the report, the Snorby Cloud team is announcing the initial release of over 2000 network DNS indicators that can be used to quickly identify this specific actor (or other advanced attackers sharing the same tools and behaviors).
If you are already a Snorby Cloud customer, these rules have been automatically deployed to your Network IDS agents and are already active. If not, we are open-sourcing these rules under GPL and you may use them in popular open-source IDS software such as Snort (http://www.snort.org/) or Suricata (http://www.openinfosecfoundation.org/). You can find the rules here https://github.com/packetstash/packetstash-rules
As we grow, the Snorby Cloud team will be maintaining our own GPL rule-set for the benefit the community starting by improving and adding to this set of indicators as we digest the report. We encourage users of the rules to contact with us any improvements so we can disseminate them to the group.
If you have any questions, please contact firstname.lastname@example.org
- Snorby Cloud Team.