#ThreatThursday - menuPass

Introduction Hello everyone and happy #ThreatThursday! Up this week: New threats and a new SCYTHE unicorn! I’m Tim Schulz, a security researcher and ...

Tim Schulz

4 min. read 25 Feb 2021

Introduction

Hello everyone and happy #ThreatThursday! Up this week: New threats and a new SCYTHE unicorn! I’m Tim Schulz, a security researcher and long term purple team advocate coming from Sandia National Labs and MITRE, and now the new Adversary Emulation Lead at SCYTHE. As part of Jorge’s technical team, I’ll be driving our SCYTHE Threat Thursdays (don’t worry, Jorge will still make appearances!). For my inaugural Threat Thursday we are going to look at menuPass (aka APT10/Stone Panda/Red Apollo/CVNX/Potassium/Cloud Hopper), a cyber threat actor responsible for global intellectual property theft that is thought to be affiliated with, or working at the behest of, the Chinese Ministry of State Security.
‍

menuPass comes to us as a newly released emulation plan from MITRE Engenuity that we have ported over to SCYTHE, and therefore has a significant amount of resources for us to leverage in this #ThreatThursday. We hope you enjoy it!

Cyber Threat Intelligence

menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. Source: https://attack.mitre.org/groups/G0045/

As part of the emulation release, MITRE Engenuity released an ATT&CK Navigation layer for the community to leverage as seen in Figure 1. For other adversary emulation plans released by MITRE and MITRE Engenuity, check out APT29 and FIN6 phases one and two. #ThreatThursday.

Overall, there were 32 different references and reports used to create the menuPass emulation plan. You can view them all here.

Adversary Emulation Plan

MITRE Engenuity’s emulation plan outlines two different scenarios summarized in their release post:
‍
“Scenario 1 is designed to be representative of publicly reported menuPass efforts targeting MSP subscriber networks. The scenario describes the techniques reported to have been used by menuPass to achieve initial access but ultimately leaves initial access to the interpretation of the individual analyst. It then walks the practitioner through tool ingress, discovery, credential harvesting, lateral movement, and exfiltration.”

Tactic	Description
Description	menuPass efforts targeting MSP subscriber networks. Techniques used to achieve initial access, then tool ingress, discovery, credential harvesting, lateral movement, and exfiltration.
Objective	Gain access to trusted partners for proxy compromise.
Command and Control	T1105: Ingress Tool Transfer
Initial Access	T1199: Trusted Relationship T1078.002: Valid Accounts - Domain Accounts
Discovery	T1049: System Network Connections Discovery T1018: Remote System Discovery T1046: Network Service Scanning T1016: System Network Configuration Discovery
Credential Access	T1003.001: OS Credential Dumping - LSASS Memory T1003.002: OS Credential Dumping - Security Account Manager T1003.004: OS Credential Dumping - LSA Secrets
Discovery	T1087: Account Discovery T1082: System Information Discovery T1057: Process Discovery T1518.001: Software Discovery: Security Software Discovery
Lateral Movement	T1569.002: System Services - Service Execution T1021.001: Remote Services - Remote Desktop Protocol T1021.002: Remote Services - SMB/Windows Admin Shares T1570: Lateral Tool Transfer
Collection	T1560.001: Archive Collected Data - Archive via Utility T1074.001: Local Data Staging
Exfiltration	T1537: Transfer Data to Cloud Account
Persistence	T1053.005: Scheduled Task T1543.003: Create or Modify System Process - Windows Service T1547.001: Boot or Logon Autostart Execution - Registry Run Keys

“Scenario 2 is intended to be representative of menuPass activity that relied upon a command-and-control framework to establish C2, conduct discovery, escalate privileges, access credentials, conduct lateral movement, and deploy and persist sustained malware.”

Tactic	Description
Description	menuPass activity that relied upon a command-and-control framework to establish C2, conduct discovery, escalate privileges, access credentials, conduct lateral movement, and deploy and persist sustained malware
Objective	Theft of intellectual property.
Command and Control	T1105: Ingress Tool Transfer
Initial Access	T1566.001: Phishing T1566.002: Phishing
Discovery	T1016: System Network Configuration Discovery T1049: System Network Connections Discovery
Credential Access	T1003.003: OS Credential Dumping - NTDS
Lateral Movement	T1047: Windows Management Instrumentation T1569.002: System Services - Service Execution
Exfiltration	T1041: Exfiltration Over C2 Channel
Command and Control	T1105: Ingress Tool Transfer
Persistence	T1547.001: Boot or Logon Autostart Execution - Registry Run Keys/Startup Folder T1053.005: Alternative Procedure - Scheduled Task/Job - Scheduled Task

The released emulation plan is for the first scenario, and the associated SCYTHE plan also follows along with it.

Conclusion

Today we covered the newly released plan for menuPass, a Chinese threat actor identified as a major interest by MITRE Engenuity’s Center for Threat Informed Defense (CTID). CTID released extensive resources in the area, and we were able to modify and import the released plan into the platform to create a new emulation! menuPass has proven to be a resourceful adversary, leveraging their own internally developed capabilities in addition to open source tooling such as Metasploit.

Built-in Windows defensive capabilities such as application white listing, sysmon & event logging, and a tiered design to active directory will significantly impact menuPass’s ability to operate successfully in an enterprise environment.

SCYTHE recommends testing against adversary emulation plans in engagements such as those outlined in the Purple Team Exercise Framework to fully understand how well your organization can detect and respond to threats.

We hope you enjoyed this edition of #ThreatThursday.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

Tim Schulz is SCYTHE’s Adversary Emulation Lead. He has been helping organizations build and train teams to understand and emulate cyber threats for the last six years while working at multiple FFRDCs. He has given talks on Adaptive Emulation with ATT&CK and on Technical Leadership, and holds GXPN, GDAT, and OSCP certifications.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.