ATT&CK Evaluations test cybersecurity providers against adversary behavior informed by menuPass and ALPHV/BlackCat Ransomware

MITRE Engenuity ATT&CK® Evaluations (ATT&CK Evals) released its second round of independent ATT&CK Evaluations for managed security services providers (MSSP). Through the lens of the MITRE ATT&CK knowledge base, this round of ATT&CK Evals focused on adversary behavior informed by menuPass (G0045), a Chinese-based threat group, and an ALPHV/BlackCat ransomware affiliate.

“In collaboration with the 11 providers who participated in this round of ATT&CK Evaluations Managed Services, we rigorously and transparently tested services against two well-known and prolific adversaries,” said William Booth, general manager, ATT&CK Evals, MITRE Engenuity. “The evidence-based results of the evaluation are a valuable resource for organizations in determining which security solutions best address their needs.”

The participants of this evaluation included:

• Bitdefender
• BlackBerry
• CrowdStrike
• Field Effect
• Microsoft
• Palo Alto Networks
• Secureworks
• SecurityHQ
• SentinelOne
• Sophos
• Trend Micro

Results of the evaluations are posted at https://attackevals.mitre-engenuity.org/.

This round of ATT&CK Evals emulated a multi-subsidiary compromise with overlapping operations focusing on defense evasion, exploiting trusted relationships, data encryption, and inhibiting system recovery. ATT&CK Evals mirrored the techniques and malware of menuPass, as well as an ALPHV/BlackCat affiliate’s deployment of BlackCat ransomware to Windows and Linux ESXi servers, highlighting data encryption/destruction and system recovery obstruction behaviors.

Active since at least 2006, menuPass (aka APT10) is believed to be sponsored by the Chinese Ministry of State Security. The group focuses on the exfiltration of sensitive data such as intellectual property and business intelligence in support of Chinese national security objectives. menuPass has targeted the aerospace, construction, engineering, government, and telecommunications sectors primarily in the U.S., Europe, Japan, and Southeast Asia.

“menuPass exemplifies the sophistication and versatility of modern adversaries,” said Amy Robertson, cyber threat intelligence engineering lead, ATT&CK Evals. “The group has demonstrated an affinity to living-off-the-land, while obscuring their activities through fileless execution and obfuscation to evade security controls and hinder analysis. They also have infiltrated trusted relationships to amplify their reach, representing a threat adept at exploiting vulnerabilities in both technology and trust itself."

ALPHV/BlackCat, a prolific Russian-speaking RaaS group that emerged in 2021, is linked to BlackMatter, DarkSide, REvil, and other RaaS groups. ALPHV/BlackCat utilizes ransomware coded in Rust, allowing for enhanced performance, flexibility, and cross-platform capabilities. Group affiliates are alleged to have targeted more than 1,000 victims across the globe, prior to the FBI’s disruption of the group.

“ALPHV/BlackCat represents a potent, multi-vector threat, capitalizing on technical innovations to maximize impact,” added Robertson. “The group’s ransomware-as-a-service (RaaS) model enabled affiliates to leverage defense evasion techniques like obfuscation and kill processes to disable defenses, and to use core data encryption functionality to cripple business operations across sectors.”

Within the evaluation, emulation of menuPass and ALPHV/BlackCat assessed a provider’s ability to detect threats that prioritize stealth, leverage trusted relationships and system tools, and inhibit system recovery through data destruction and encryption.

ABOUT MITRE ENGENUITY

MITRE Engenuity, a subsidiary of MITRE, is a tech foundation for public good. MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.

MITRE Engenuity brings MITRE’s deep technical know-how and systems thinking to the private sector to solve complex challenges that government alone cannot solve. MITRE Engenuity catalyzes the collective R&D strength of the broader U.S. federal government, academia, and private sector to tackle national and global challenges. www.mitre-engenuity.org

ABOUT MITRE ENGENUITY ATT&CK^® EVALUATIONS

ATT&CK^® Evaluations is built on the backbone of MITRE’s objective insight and conflict-free perspective. Cybersecurity vendors turn to the ATT&CK Evals program to improve their offerings and to provide defenders with insights into their product’s capabilities and performance. ATT&CK Evals enables defenders to make better informed decisions on how to leverage the products that secure their networks. The program follows a rigorous, transparent methodology, using a collaborative, threat-informed, purple-teaming approach that brings together vendors and MITRE experts to evaluate solutions within the context of ATT&CK. In line with MITRE Engenuity’s commitment to serve the public good, ATT&CK Evals results and threat emulation plans are freely accessible. https://attackevals.mitre-engenuity.org/

View source version on businesswire.com: https://www.businesswire.com/news/home/20240618734332/en/

William Booth, general manager, ATT&CK Evals, MITRE Engenuity, "The evidence-based results of the evaluation are a valuable resource for organizations in determining which security solutions best address their needs.”