<< All Posts

#ThreatThursday - menuPass

February 25, 2021

Introduction

Hello everyone and happy #ThreatThursday! Up this week: New threats and a new SCYTHE unicorn! I’m Tim Schulz, a security researcher and long term purple team advocate coming from Sandia National Labs and MITRE, and now the new Adversary Emulation Lead at SCYTHE.  As part of Jorge’s technical team, I’ll be driving our SCYTHE Threat Thursdays (don’t worry, Jorge will still make appearances!). For my inaugural Threat Thursday we are going to look at menuPass (aka APT10/Stone Panda/Red Apollo/CVNX/Potassium/Cloud Hopper), a cyber threat actor responsible for global intellectual property theft that is thought to be affiliated with, or working at the behest of, the Chinese Ministry of State Security.  

menuPass comes to us as a newly released emulation plan from MITRE Engenuity that we have ported over to SCYTHE, and therefore has a significant amount of resources for us to leverage in this #ThreatThursday. We hope you enjoy it!

Cyber Threat Intelligence

menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. Source: https://attack.mitre.org/groups/G0045/


As part of the emulation release, MITRE Engenuity released an ATT&CK Navigation layer for the community to leverage as seen in Figure 1. For other adversary emulation plans released by MITRE and MITRE Engenuity, check out APT29 and FIN6 phases one and two. #ThreatThursday.

Overall, there were 32 different references and reports used to create the menuPass emulation plan. You can view them all here.

Adversary Emulation Plan

MITRE Engenuity’s emulation plan outlines two different scenarios summarized in their release post:

“Scenario 1 is designed to be representative of publicly reported menuPass efforts targeting MSP subscriber networks. The scenario describes the techniques reported to have been used by menuPass to achieve initial access but ultimately leaves initial access to the interpretation of the individual analyst. It then walks the practitioner through tool ingress, discovery, credential harvesting, lateral movement, and exfiltration.”

 Tactic  Description
Description   menuPass efforts targeting MSP subscriber networks. Techniques used to achieve initial access, then tool ingress, discovery, credential harvesting, lateral movement, and exfiltration.
Objective   Gain access to trusted partners for proxy compromise.
 Command and Control  T1105: Ingress Tool Transfer
Initial Access   T1199: Trusted Relationship
T1078.002: Valid Accounts - Domain Accounts
 Discovery T1049: System Network Connections Discovery
T1018: Remote System Discovery
T1046: Network Service Scanning
T1016: System Network Configuration Discovery
 Credential Access T1003.001: OS Credential Dumping - LSASS Memory
T1003.002: OS Credential Dumping - Security Account Manager
T1003.004: OS Credential Dumping - LSA Secrets
 Discovery T1087: Account Discovery
T1082: System Information Discovery
T1057: Process Discovery
T1518.001: Software Discovery: Security Software Discovery
 Lateral Movement T1569.002: System Services - Service Execution
T1021.001: Remote Services - Remote Desktop Protocol
T1021.002: Remote Services - SMB/Windows Admin Shares
T1570: Lateral Tool Transfer
 Collection T1560.001: Archive Collected Data - Archive via Utility
T1074.001: Local Data Staging
 Exfiltration T1537: Transfer Data to Cloud Account
 Persistence T1053.005: Scheduled Task
T1543.003: Create or Modify System Process - Windows Service
T1547.001: Boot or Logon Autostart Execution - Registry Run Keys

Scenario 2 is intended to be representative of menuPass activity that relied upon a command-and-control framework to establish C2, conduct discovery, escalate privileges, access credentials, conduct lateral movement, and deploy and persist sustained malware.”

 Tactic  Description
Description   menuPass activity that relied upon a command-and-control framework to establish C2, conduct discovery, escalate privileges, access credentials, conduct lateral movement, and deploy and persist sustained malware
Objective   Theft of intellectual property.
 Command and Control  T1105: Ingress Tool Transfer
Initial Access   T1566.001: Phishing
T1566.002: Phishing
 Discovery T1016: System Network Configuration Discovery
T1049: System Network Connections Discovery
 Credential Access T1003.003: OS Credential Dumping - NTDS
 Lateral Movement T1047: Windows Management Instrumentation
T1569.002: System Services - Service Execution
 Exfiltration T1041: Exfiltration Over C2 Channel
 Command and Control T1105: Ingress Tool Transfer
 Persistence T1547.001: Boot or Logon Autostart Execution - Registry Run Keys/Startup Folder
T1053.005: Alternative Procedure - Scheduled Task/Job - Scheduled Task

The released emulation plan is for the first scenario, and the associated SCYTHE plan also follows along with it.

Conclusion

Today we covered the newly released plan for menuPass, a Chinese threat actor identified as a major interest by MITRE Engenuity’s Center for Threat Informed Defense (CTID). CTID released extensive resources in the area, and we were able to modify and import the released plan into the platform to create a new emulation! menuPass has proven to be a resourceful adversary, leveraging their own internally developed capabilities in addition to open source tooling such as Metasploit.

Built-in Windows defensive capabilities such as application white listing, sysmon & event logging, and a tiered design to active directory will significantly impact menuPass’s ability to operate successfully in an enterprise environment.

SCYTHE recommends testing against adversary emulation plans in engagements such as those outlined in the Purple Team Exercise Framework to fully understand how well your organization can detect and respond to threats.

We hope you enjoyed this edition of #ThreatThursday.

--

Tim Schulz is SCYTHE’s Adversary Emulation Lead. He has been helping organizations build and train teams to understand and emulate cyber threats for the last six years while working at multiple FFRDCs. He has given talks on Adaptive Emulation with ATT&CK and on Technical Leadership, and holds GXPN, GDAT, and OSCP certifications.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io


STAY UP TO DATE WITH OUR CONTENT!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form

More Unicorn Content

See All Posts

let our tech speak for itself

Know where you stand with SCYTHE. Talk to us to start the evaluation process today! We’d love to talk to you about how SCYTHE can fit into your cybersecurity workflow.

EVALUATE

LEARN MORE