Wednesday, February 20, 2013

Reading the Mandiant APT1 Report

Like a lot of folks, I downloaded and read through the Mandiant APT1 report as soon as I could.  It's an excellent resource and I highly recommend reading it if you have not already.  It goes into great detail on how they have tracked a particular team of attackers.  They lay out how they have tracked individuals on the team from their online presence, coding and attack methods, and other sources.

They also included some network blocks that they observed as part of the communication chain with command and control systems.  Here is a screenshot from their report.

Screen shot taken from page 42 of Mandiant APT1 report

On a whim, I decided to crawl through my web server logs and see if I could find anything from these blocks.  To be clear, I'm not saying this proves I was under attack or being used by APT1.  It was just a quick check to see if there was something to dig further at.

I logged into my web server and ran a simple recursive grep for each netblock.

egrep -r "^223.16[6|7]" /var/log/apache2/*

The -r tells egrep to recurse through the target directory.  The ^ symbol in my regex requires that the pattern must be found at the beginning of the line.  And I used [6|7] to match either a 6 or a 7 at the end of the pattern.

In the end, I had 5 different searches that I ran.

egrep -r "^223.16[6|7]" /var/log/apache2/*
egrep -r "^58.24[6|7]" /var/log/apache2/*
egrep -r "^112.6[4|5]" /var/log/apache2/*
egrep -r "^139.22[6|7]" /var/log/apache2/*
egrep -r "^143.89" /var/log/apache2/*

For any gzipped and archived log files, I used zegrep instead.  The catch was that zegrep doesn't want to be recursive, so I had to run that on each directory containing archived log files.  So this came out looking like the following.

zegrep "^223.16[6|7]" /var/log/apache2/*.gz

Somewhat surprisingly, I found some activity in my log files.  It was nothing earth shattering, but apparently someone at 223.166.88.107 had an interest in shell commands on NetApp filers.  58.246.251.174 got a bit more interested in my host.  They took the time to scan my server for admin applications such as PHPMyAdmin.  I'd guess that this was an automated scan looking for easy targets to use as a jumping off point.  So far nothing else from them has turned up.

I'd recommend using the information in this report to take a look at your environment and seeing what turns up. There is a lot more there than just a few IP addresses.  Mandiant released a large number of the Indicators of Compromise that they use to track this group, plus other information.  What I have here wasn't even a scratch at it.  I'm still looking around my systems for more.  I may not come up with much, but it's a great chance to practice analysis skills.

No comments: