May 20, 2024


MITRE, the creators the popular ATT&CK Framework release version 15, with a key focus on detection engineering, visibility and ICS.

Download the Microsoft 365 Security Guide  - FREE

Complete the form to download your FREE Microsoft 365 Security Guide today, including:

  • A checklist to ensure your organisation is protected.
  • Top tips you can distribute to employees to keep your data safe.
  • Recommended secure configuration settings for your environment.

Sign up on the form and receive the guide instantly.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get Your 'Vulnerability Management Template' FREE!‍

Your Vulnerability Management Template Includes:

  • Full Vulnerability Identification Process Documents
  • Easy to Follow Process Diagrams
  • System and Data Criticality Definitions
  • Vulnerability Triage Process
  • Remediation Allocation Process
  • Root Cause Analysis Process

Secure your organisation today by completing the form for your Vulnerability Management Template.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Download the, 'How to secure Microsoft Office Desktop Deployments Technical Guide' - FREE

  • 15 Technical Controls to help secure your users and keep your business safe.
  • 100’s of reference group policy objects to implement the controls
  • Reference material to learn more about each control

Complete the form to download your free technical guide and secure your organisation today.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

The Headliners

Yesterday, MITRE released version 15 which now documents up to 800 unique pieces of Software, over 150 Groups and up to 30 Campaigns. One of the key changes  that has been made is to the ‘Detections’ section of MITRE ATT&CK, MITRE are moving away from their ‘CAR Analytics’ pseudo-code method of sharing detection opportunities for TTP’s and towards vendor-specific detection code.

Updated Groups

MITRE have introduced 7 new tracked Groups, some of the notable ones being Akira and Mustard Tempest.

Akira  is a ransomware as a service (RaaS) group that emerged mid-2023 and found great early success in brute forcing VPNs without MFA, typically Cisco SSL VPNs. They orchestrated careful campaigns against hypervisors and SQL servers, sometimes spanning weeks in dwell time to ensure they evaded detection and maintained their persistence. Akira gained notoriety for their 1980s style Data Leak Site (DLS) on the dark web.

Mustard Tempest has been a prolific and efficient player in the ransomware ecosystem since 2017. This threat actor is mainly known to operate as an Initial Access Broker (IAB) by operating the ‘SocGholish’ malware distribution network. The group has had affiliations with Lockbit and is known to deploy remote access tools.

For a deep dive analysis of initial access malware, read a recent blog post from our Incident Response team on GootLoader malware which is used as initial access malware.

Changes to Industrial Control Systems (ICS)

MITRE also introduced fresh updates to the ICS side of MITRE ATT&CK, with new Campaigns, Techniques and more.

gray and red factory building under a calm blue sky

ICS Campaigns

Three new ICS campaigns highlight the diversity in motivations and the different means that each threat actor can demonstrate during attacks against ICS/SCADA systems.

  • 2022 Ukraine Electric Power Attack – This campaign is linked to the prior 2015 and 2016 attacks orchestrated by the Sandworm Team. These attacks were conducted to disrupt substations within the Ukrainian power grid by using a combination of tools known as GOGETTER, Neo-REGEORG and CaddyWiper.
  • Triton Safety Instrumented System Attack – This attack was orchestrated against a petrochemical organisation, targeting specific Triconex Safety Controllers. The incident was found due to a safety trip that occurred as a result of the malware.
  • Unitronics Defacement Campaign – This was a collection of multiple intrusions across multiple sectors by a newly tracked group in MITRE v15 known as ‘CyberAv3ngers’ which worked to deface Unistronics Vision Series Programmable Logic Controllers (PLC). The PLCs were found in sectors such as water, wastewater, energy, food and beverage manufacturing and healthcare.  
Programmable logic controller Vision 700 by Unitronics- front

Enterprise Campaigns

Cutting Edge (Ivanti Connect Secure VPN Exploitation Campaign)

MITRE have introduced the campaign that was orchestrated in December 2023 that targeted Ivanti Pulse Secure VPNs (Now known as Connect Secure). The exploitation of these appliances resulted in havoc for many organisations in multiple sectors and regions of the world, including a successful exploitation of MITRE’s own Ivanti VPN.

MITRE also introduced multiple minor changes and updates to existing enterprise campaigns.

Updates to detection content provided by MITRE

Previously, MITRE used a ‘pseudo-code’ approach, typically driven by a separate MITRE project known as ‘Cyber Analytics Repository’ (CAR). MITRE recognise that this was difficult to understand by cyber defenders and have moved towards specific (real-world) query syntax such as Splunk Processing Language.

An example can be found on the detections section of the Execution via PowerShell TTP:

How to use the recent MITRE updates to improve your cyber resilience

We’d recommend you create a threat model that documents your organisations crown jewels and the relevant threat actors, their TTPs and the related detections and mitigations reported by MITRE to drive your cyber resilience efforts.

You can utilise the MITRE ATT&CK Framework and the latest changes to track the most recent threat actors, understand your detection coverage and re-focus your efforts on relevant threat actors and their tactics, techniques, and procedures (TTPs).

A SOC team can also report on all detection coverage of the relevant threats to you. The Precursor SOC map all detections to MITRE ATT&CK and ensure coverage of the latest versions of MITRE ATT&CK to maximise your resilience.

Written by

Precursor Security

Welcome to the world of cybersecurity and penetration expertise with Precursor Security. As the driving force behind our commitment to fortifying the digital landscape, we stand as a collective embodiment of experience, innovation, and a shared dedication to online safety.