#ThreatThursday - menuPass

    Introduction

    Hello everyone and happy #ThreatThursday! Up this week: New threats and a new SCYTHE unicorn! I’m Tim Schulz, a security researcher and long term purple team advocate coming from Sandia National Labs and MITRE, and now the new Adversary Emulation Lead at SCYTHE.  As part of Jorge’s technical team, I’ll be driving our SCYTHE Threat Thursdays (don’t worry, Jorge will still make appearances!). For my inaugural Threat Thursday we are going to look at menuPass (aka APT10/Stone Panda/Red Apollo/CVNX/Potassium/Cloud Hopper), a cyber threat actor responsible for global intellectual property theft that is thought to be affiliated with, or working at the behest of, the Chinese Ministry of State Security.  

    menuPass comes to us as a newly released emulation plan from MITRE Engenuity that we have ported over to SCYTHE, and therefore has a significant amount of resources for us to leverage in this #ThreatThursday. We hope you enjoy it!

    Cyber Threat Intelligence

    menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. Source: https://attack.mitre.org/groups/G0045/


    As part of the emulation release, MITRE Engenuity released an ATT&CK Navigation layer for the community to leverage as seen in Figure 1. For other adversary emulation plans released by MITRE and MITRE Engenuity, check out APT29 and FIN6 phases one and two. #ThreatThursday.

    Overall, there were 32 different references and reports used to create the menuPass emulation plan. You can view them all here.

    Adversary Emulation Plan

    MITRE Engenuity’s emulation plan outlines two different scenarios summarized in their release post:

    “Scenario 1 is designed to be representative of publicly reported menuPass efforts targeting MSP subscriber networks. The scenario describes the techniques reported to have been used by menuPass to achieve initial access but ultimately leaves initial access to the interpretation of the individual analyst. It then walks the practitioner through tool ingress, discovery, credential harvesting, lateral movement, and exfiltration.”

     Tactic  Description
    Description   menuPass efforts targeting MSP subscriber networks. Techniques used to achieve initial access, then tool ingress, discovery, credential harvesting, lateral movement, and exfiltration.
    Objective   Gain access to trusted partners for proxy compromise.
     Command and Control  T1105: Ingress Tool Transfer
    Initial Access   T1199: Trusted Relationship
    T1078.002: Valid Accounts - Domain Accounts
     Discovery T1049: System Network Connections Discovery
    T1018: Remote System Discovery
    T1046: Network Service Scanning
    T1016: System Network Configuration Discovery
     Credential Access T1003.001: OS Credential Dumping - LSASS Memory
    T1003.002: OS Credential Dumping - Security Account Manager
    T1003.004: OS Credential Dumping - LSA Secrets
     Discovery T1087: Account Discovery
    T1082: System Information Discovery
    T1057: Process Discovery
    T1518.001: Software Discovery: Security Software Discovery
     Lateral Movement T1569.002: System Services - Service Execution
    T1021.001: Remote Services - Remote Desktop Protocol
    T1021.002: Remote Services - SMB/Windows Admin Shares
    T1570: Lateral Tool Transfer
     Collection T1560.001: Archive Collected Data - Archive via Utility
    T1074.001: Local Data Staging
     Exfiltration T1537: Transfer Data to Cloud Account
     Persistence T1053.005: Scheduled Task
    T1543.003: Create or Modify System Process - Windows Service
    T1547.001: Boot or Logon Autostart Execution - Registry Run Keys

    Scenario 2 is intended to be representative of menuPass activity that relied upon a command-and-control framework to establish C2, conduct discovery, escalate privileges, access credentials, conduct lateral movement, and deploy and persist sustained malware.”

     Tactic  Description
    Description   menuPass activity that relied upon a command-and-control framework to establish C2, conduct discovery, escalate privileges, access credentials, conduct lateral movement, and deploy and persist sustained malware
    Objective   Theft of intellectual property.
     Command and Control  T1105: Ingress Tool Transfer
    Initial Access   T1566.001: Phishing
    T1566.002: Phishing
     Discovery T1016: System Network Configuration Discovery
    T1049: System Network Connections Discovery
     Credential Access T1003.003: OS Credential Dumping - NTDS
     Lateral Movement T1047: Windows Management Instrumentation
    T1569.002: System Services - Service Execution
     Exfiltration T1041: Exfiltration Over C2 Channel
     Command and Control T1105: Ingress Tool Transfer
     Persistence T1547.001: Boot or Logon Autostart Execution - Registry Run Keys/Startup Folder
    T1053.005: Alternative Procedure - Scheduled Task/Job - Scheduled Task

    The released emulation plan is for the first scenario, and the associated SCYTHE plan also follows along with it.

    Conclusion

    Today we covered the newly released plan for menuPass, a Chinese threat actor identified as a major interest by MITRE Engenuity’s Center for Threat Informed Defense (CTID). CTID released extensive resources in the area, and we were able to modify and import the released plan into the platform to create a new emulation! menuPass has proven to be a resourceful adversary, leveraging their own internally developed capabilities in addition to open source tooling such as Metasploit.

    Built-in Windows defensive capabilities such as application white listing, sysmon & event logging, and a tiered design to active directory will significantly impact menuPass’s ability to operate successfully in an enterprise environment.

    SCYTHE recommends testing against adversary emulation plans in engagements such as those outlined in the Purple Team Exercise Framework to fully understand how well your organization can detect and respond to threats.

    We hope you enjoyed this edition of #ThreatThursday.

    --

    This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

    Tim Schulz is SCYTHE’s Adversary Emulation Lead. He has been helping organizations build and train teams to understand and emulate cyber threats for the last six years while working at multiple FFRDCs. He has given talks on Adaptive Emulation with ATT&CK and on Technical Leadership, and holds GXPN, GDAT, and OSCP certifications.

    About SCYTHE

    SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io

    Latest Posts

    Threat Thursday: March
    Threat Thursday: March
    March 21,2024
    Threat Thursday: February
    Threat Thursday: February
    February 22,2024
    Threat Thursday: January
    Threat Thursday: January
    January 18,2024
    Threat Thursday Buzz
    Threat Thursday Buzz
    November 16,2023
    Threat Emulation: APT36
    Threat Emulation: APT36
    July 27,2023

    Related Threat Thursday