MITRE Engenuity ATT&CK Evaluations (ATT&CK Evals) released its second round of independent ATT&CK Evaluations for managed security services providers (MSSP). Through the lens of the MITRE ATT&CK knowledge base, this round of ATT&CK Evals focused on adversary behavior informed by menuPass (G0045), a Chinese-based threat group, and an ALPHV/BlackCat ransomware affiliate.
“In collaboration with the 11 providers who participated in this round of ATT&CK Evaluations Managed Services, we rigorously and transparently tested services against two well-known and prolific adversaries,” said William Booth, general manager, ATT&CK Evals, MITRE Engenuity. “The evidence-based results of the evaluation are a valuable resource for organizations in determining which security solutions best address their needs.”
The participants of this evaluation included:
- Bitdefender
- BlackBerry
- CrowdStrike
- Field Effect
- Microsoft
- Palo Alto Networks
- Secureworks
- SecurityHQ
- SentinelOne
- Sophos
- Trend Micro
Results of the evaluations are posted at https://attackevals.mitre-engenuity.org/.
This round of ATT&CK Evals emulated a multi-subsidiary compromise with overlapping operations focusing on defense evasion, exploiting trusted relationships, data encryption, and inhibiting system recovery. ATT&CK Evals mirrored the techniques and malware of menuPass, as well as an ALPHV/BlackCat affiliate’s deployment of BlackCat ransomware to Windows and Linux ESXi servers, highlighting data encryption/destruction and system recovery obstruction behaviors.
Active since at least 2006, menuPass (aka APT10) is believed to be sponsored by the Chinese Ministry of State Security. The group focuses on the exfiltration of sensitive data such as intellectual property and business intelligence in support of Chinese national security objectives. menuPass has targeted the aerospace, construction, engineering, government, and telecommunications sectors primarily in the U.S., Europe, Japan, and Southeast Asia.
“menuPass exemplifies the sophistication and versatility of modern adversaries,” said Amy Robertson, cyber threat intelligence engineering lead, ATT&CK Evals. “The group has demonstrated an affinity to living-off-the-land, while obscuring their activities through fileless execution and obfuscation to evade security controls and hinder analysis. They also have infiltrated trusted relationships to amplify their reach, representing a threat adept at exploiting vulnerabilities in both technology and trust itself."
ALPHV/BlackCat, a prolific Russian-speaking RaaS group that emerged in 2021, is linked to BlackMatter, DarkSide, REvil, and other RaaS groups. ALPHV/BlackCat utilizes ransomware coded in Rust, allowing for enhanced performance, flexibility, and cross-platform capabilities. Group affiliates are alleged to have targeted more than 1,000 victims across the globe, prior to the FBI’s disruption of the group.
“ALPHV/BlackCat represents a potent, multi-vector threat, capitalizing on technical innovations to maximize impact,” added Robertson. “The group’s ransomware-as-a-service (RaaS) model enabled affiliates to leverage defense evasion techniques like obfuscation and kill processes to disable defenses, and to use core data encryption functionality to cripple business operations across sectors.”
Within the evaluation, emulation of menuPass and ALPHV/BlackCat assessed a provider’s ability to detect threats that prioritize stealth, leverage trusted relationships and system tools, and inhibit system recovery through data destruction and encryption.
