MITRE Releases MITRE ATT&CK v15

The Headliners

Yesterday, MITRE released version 15 which now documents up to 800 unique pieces of Software, over 150 Groups and up to 30 Campaigns. One of the key changes  that has been made is to the ‘Detections’ section of MITRE ATT&CK, MITRE are moving away from their ‘CAR Analytics’ pseudo-code method of sharing detection opportunities for TTP’s and towards vendor-specific detection code.

Updated Groups

MITRE have introduced 7 new tracked Groups, some of the notable ones being Akira and Mustard Tempest.

Akira  is a ransomware as a service (RaaS) group that emerged mid-2023 and found great early success in brute forcing VPNs without MFA, typically Cisco SSL VPNs. They orchestrated careful campaigns against hypervisors and SQL servers, sometimes spanning weeks in dwell time to ensure they evaded detection and maintained their persistence. Akira gained notoriety for their 1980s style Data Leak Site (DLS) on the dark web.

Mustard Tempest has been a prolific and efficient player in the ransomware ecosystem since 2017. This threat actor is mainly known to operate as an Initial Access Broker (IAB) by operating the ‘SocGholish’ malware distribution network. The group has had affiliations with Lockbit and is known to deploy remote access tools.

For a deep dive analysis of initial access malware, read a recent blog post from our Incident Response team on GootLoader malware which is used as initial access malware.

Changes to Industrial Control Systems (ICS)

MITRE also introduced fresh updates to the ICS side of MITRE ATT&CK, with new Campaigns, Techniques and more.

ICS Campaigns

Three new ICS campaigns highlight the diversity in motivations and the different means that each threat actor can demonstrate during attacks against ICS/SCADA systems.

• 2022 Ukraine Electric Power Attack – This campaign is linked to the prior 2015 and 2016 attacks orchestrated by the Sandworm Team. These attacks were conducted to disrupt substations within the Ukrainian power grid by using a combination of tools known as GOGETTER, Neo-REGEORG and CaddyWiper.
• Triton Safety Instrumented System Attack – This attack was orchestrated against a petrochemical organisation, targeting specific Triconex Safety Controllers. The incident was found due to a safety trip that occurred as a result of the malware.
• Unitronics Defacement Campaign – This was a collection of multiple intrusions across multiple sectors by a newly tracked group in MITRE v15 known as ‘CyberAv3ngers’ which worked to deface Unistronics Vision Series Programmable Logic Controllers (PLC). The PLCs were found in sectors such as water, wastewater, energy, food and beverage manufacturing and healthcare.  

Enterprise Campaigns

Cutting Edge (Ivanti Connect Secure VPN Exploitation Campaign)

MITRE have introduced the campaign that was orchestrated in December 2023 that targeted Ivanti Pulse Secure VPNs (Now known as Connect Secure). The exploitation of these appliances resulted in havoc for many organisations in multiple sectors and regions of the world, including a successful exploitation of MITRE’s own Ivanti VPN.

MITRE also introduced multiple minor changes and updates to existing enterprise campaigns.

Updates to detection content provided by MITRE

Previously, MITRE used a ‘pseudo-code’ approach, typically driven by a separate MITRE project known as ‘Cyber Analytics Repository’ (CAR). MITRE recognise that this was difficult to understand by cyber defenders and have moved towards specific (real-world) query syntax such as Splunk Processing Language.

An example can be found on the detections section of the Execution via PowerShell TTP:

How to use the recent MITRE updates to improve your cyber resilience

We’d recommend you create a threat model that documents your organisations crown jewels and the relevant threat actors, their TTPs and the related detections and mitigations reported by MITRE to drive your cyber resilience efforts.

You can utilise the MITRE ATT&CK Framework and the latest changes to track the most recent threat actors, understand your detection coverage and re-focus your efforts on relevant threat actors and their tactics, techniques, and procedures (TTPs).

A SOC team can also report on all detection coverage of the relevant threats to you. The Precursor SOC map all detections to MITRE ATT&CK and ensure coverage of the latest versions of MITRE ATT&CK to maximise your resilience.

‍