RSA Admin

Third Party Publicized IOCs Feed and the Kaspersky Careto Paper

Blog Post created by RSA Admin Employee on Feb 12, 2014

RSA FirstWatch has reviewed the Kaspersky Careto research paper located at SecureList here.  We have gathered the listed indicators of compromise and have searched our own internal databases to validate the threats and to determine if there is anything more we can add to the research.  We have been unable to corroborate these IOC's as being involved with any current malware.  However, this APT threat dates back several years and our own internal data does not.

 

We wanted to include these IOCs in our threat feeds.  We have two new threat feeds that will house Indicators of Compromise that are publicized by third party research organizations.  One feed will be dedicated to Hostnames and the second, dedicated to known malicious IP addresses.  This feed will be available via the Live Subscription.

These feeds will appear in Live as:

nwrsa_third_party_ioc_domain
nwrsa_third_party_ioc_ip

 

As time goes on and other organizations make IOCs public, we will update this feed with those meta elements.

 

FirstWatch wanted to take a moment to instruct organizations how to scrape indicators of compromise from other intelligence sources to create feeds for internal use.  Many organizations subscribe to private whitepapers that are not for public consumption, such as ISACs, Government organizations and specialized sectors.

 

Using the above Careto research paper as an example, we were able to create two simple CSV files, which are attached to this post.  Using this as an example feed, organizations can append their own IOC research from other published indicators.

 

In addition to the hostnames and IP addresses, other indicators showed that there were really two types of web files requested for the Command and Control.  Those two filenames, since they fit a pattern, would be good for creating a simple rule, which is below.

 

Rule Name:  Possible Careto IOC

Syntax:  directory='/cgi-bin/' && filename=commcgi.cgi,index.cgi

Set to:  Alert Key

 

In our FirstWatch labs, there is some rate of false positives, specifically for index.cgi.  But should the attackers change their infrastructure, but keep their methods of attack, this rule should be adequate for detection.

 

However, if this is coupled to a threat source rule that would combine an IP or Hostname match with the rule above, it should be a strong indication of a compromise.  Use a second rule as follows:

 

Rule Name:  Positive Careto IOC Match

Syntax:  alert='possible careto ioc' && threat.source='Third Party Publicized IOCs'

Set to:  Alert Key (or risk.warning, etc)

 

See our previous posts on using the SA Live Feed Manager to deploy this CSV file as a feed.  In the case of the IP address feed, set the feed to IP based feed, index column 1, and map column 2, 3 and 4 to feed.name, feed.category and feed.description.

 

For the Hostname feed, set the feed to non-IP, index column 1 and set the meta callback to alias.host.  Then map column 2, 3 and 4 to feed.name, feed.category and feed.description.

 

We will be adding the attached CSV files as Live feeds soon.  Look for official notifications and be sure to subscribe to the feed for automatic updates.  As new emergent threats are published by third party research organizations, we will update this feed, along with links to those research documents.

 

Good Luck and Happy Hunting!

Outcomes