Hello everyone and happy #ThreatThursday! Up this week: New threats and a new SCYTHE unicorn! I’m Tim Schulz, a security researcher and long term purple team advocate coming from Sandia National Labs and MITRE, and now the new Adversary Emulation Lead at SCYTHE. As part of Jorge’s technical team, I’ll be driving our SCYTHE Threat Thursdays (don’t worry, Jorge will still make appearances!). For my inaugural Threat Thursday we are going to look at menuPass (aka APT10/Stone Panda/Red Apollo/CVNX/Potassium/Cloud Hopper), a cyber threat actor responsible for global intellectual property theft that is thought to be affiliated with, or working at the behest of, the Chinese Ministry of State Security.
menuPass comes to us as a newly released emulation plan from MITRE Engenuity that we have ported over to SCYTHE, and therefore has a significant amount of resources for us to leverage in this #ThreatThursday. We hope you enjoy it!
Cyber Threat Intelligence
menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. Source: https://attack.mitre.org/groups/G0045/
As part of the emulation release, MITRE Engenuity released an ATT&CK Navigation layer for the community to leverage as seen in Figure 1. For other adversary emulation plans released by MITRE and MITRE Engenuity, check out APT29 and FIN6 phases one and two. #ThreatThursday.
Overall, there were 32 different references and reports used to create the menuPass emulation plan. You can view them all here.
Adversary Emulation Plan
MITRE Engenuity’s emulation plan outlines two different scenarios summarized in their release post:
“Scenario 1 is designed to be representative of publicly reported menuPass efforts targeting MSP subscriber networks. The scenario describes the techniques reported to have been used by menuPass to achieve initial access but ultimately leaves initial access to the interpretation of the individual analyst. It then walks the practitioner through tool ingress, discovery, credential harvesting, lateral movement, and exfiltration.”
“Scenario 2 is intended to be representative of menuPass activity that relied upon a command-and-control framework to establish C2, conduct discovery, escalate privileges, access credentials, conduct lateral movement, and deploy and persist sustained malware.”
The released emulation plan is for the first scenario, and the associated SCYTHE plan also follows along with it.
Today we covered the newly released plan for menuPass, a Chinese threat actor identified as a major interest by MITRE Engenuity’s Center for Threat Informed Defense (CTID). CTID released extensive resources in the area, and we were able to modify and import the released plan into the platform to create a new emulation! menuPass has proven to be a resourceful adversary, leveraging their own internally developed capabilities in addition to open source tooling such as Metasploit.
Built-in Windows defensive capabilities such as application white listing, sysmon & event logging, and a tiered design to active directory will significantly impact menuPass’s ability to operate successfully in an enterprise environment.
SCYTHE recommends testing against adversary emulation plans in engagements such as those outlined in the Purple Team Exercise Framework to fully understand how well your organization can detect and respond to threats.
We hope you enjoyed this edition of #ThreatThursday.
Tim Schulz is SCYTHE’s Adversary Emulation Lead. He has been helping organizations build and train teams to understand and emulate cyber threats for the last six years while working at multiple FFRDCs. He has given talks on Adaptive Emulation with ATT&CK and on Technical Leadership, and holds GXPN, GDAT, and OSCP certifications.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.