WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
The United Kingdom’s National Cyber Security Centre (NCSC) recently released their Incident trends report (October 2018 – April 2019) which highlights some of the trends seen across various UK government entities, organizations, and sectors. This is a pretty cool supplemental report from the NCSC (also a first, if I’m not mistaken?) that builds on top of the Weekly Threat Reports the organization releases, you guessed it, every week.
Trend analysis is an important topic within threat intelligence: Forecasting where things are headed, whether they’re getting better, worse, different, and where we should be focusing our precious security dollars. I previously wrote a blog detailing the FBI’s annual IC3 report, and though there are obvious differences in the two organizations, I think it’s important to see how government entities are responding to every day cyber threats and the trends that emerge from those responses.
Let’s dig into it!
The first thing the NCSC chose to highlight in their report was the observed attacks against Office 365, Microsoft’s cloud services suite. According to Microsoft, there are over 155 million Office 365 business users as of 2018, a massive attack surface for a single service. When you combine that with the fact that passwords get reused all the time—maybe even for Active Directory integration (O365 makes this easy for Windows users for obvious reasons)—it’s no wonder threat actors see it as an appealing target.
Figure 1: User looking to purchase Office 365 accounts in bulk. Source: Digital Shadows
The NCSC rightfully points out that because these services are cloud-based, and therefore accessible via the open Internet, attacks can be carried out at a much higher scale across the globe than previous on-premises infrastructure services allowed. Accessibility, in this case, puts defenders on their heels. The techniques observed being used are common ones as well: The NCSC highlights password spraying and credential stuffing as the main two attacks against Office 365 logins. As we highlighted in our team’s blog on the Account Takeover Kill Chain, credential stuffing is just one stage in the overall attack cycle against a service like Office 365.
As you’d imagine, one of the common goals of these attacks appeared to be attempting to steal data in the form of intellectual property or conduct ongoing espionage activity (and potentially other types of information gathering). This is the go-to goal that people think of, probably because it’s the easiest thing to wrap your head around: “Someone is trying to access my email service so they must want to know what I’m talking about”. However, using a compromised email account can lead to stronger phishing schemes due to that internal email account being a trusted contact. For instance, a common initial mitigation against phishing attacks is to plainly identify external emails to internal users (see Figure below).
Figure 2: The “[EXT]” and “Message origination” tags can be added in the administrative Office 365 security settings.
But what if the phishing email was sent using an internal account with your company’s domain in the sender address? This effectively gets around that initial blocker and even adds more perceived legitimacy to the phish.
Additionally, even though we’re talking about a cloud service that’s not technically a part of your infrastructure, the compromised account for a service like Office 365 can lead to actual network intrusions. The NCSC has observed this scenario with VPN accesses. Users or administrators may set a VPN login to match that of the internal Active Directory, or another service to make it more convenient remembering a new set of credentials. Password reuse is an all too common technique used by attackers to get access to specific services.
Ransomware isn’t going away. Seemingly every day, there’s a new report that a small municipality in the United States has been hit, with demands reaching the millions of dollars. The UK isn’t immune to this either. As the NCSC report points out, Ryuk, LockerGoga, and BitPaymer have all been fairly prevalent over the time period. Additionally, the Emotet, TrickBot, and Dridex botnets have all been seen being used as delivering ransomware once installed on the machines. If there was any doubt that botnets aren’t being used for MUCH more than denial of service attacks, rethink your assumptions.
As a follow up in the timeline to the report (which covers up to April 2019), we’ve seen the fall of GandCrab, the über-popular ransomware-as-a-service, which apparently closed down operations after operators allegedly acquired over $2 billion in extortion payments from victims. Since then, there’s been new players to enter the arena: Sodinokibi and Nemty.
Sodinokibi/Sodin/REvil has already made a significant name for itself, initially exploiting CVE-2019-2725, an Oracle WebLogic Server vulnerability. Most recently, the variant was observed being delivered via fake Q&A overlay pages on compromised WordPress websites. It’s also been theorized that Sodinokibi was created by the GandCrab authors as a follow up variant. Could this be the next billion-dollar ransomware?
TWO Star Wars references in one blog?! Who let me get away with this?
Just as the Death Star was ultimately brought down by a data leakage from within the Empire’s supply chain (THREE?!), the risks posed by attacks against supply chains continue to occur to this day (and in this galaxy). Supply chains are being attacked by nation-state threat actors such as APT10, as well as cybercriminals looking to monetize their attacks, like the operators of GandCrab. It’s important that supply chain partners are evaluated and held to the same security standards as the companies themselves. That partner’s access may make them an attractive target.
The NCSC has a few recommendations for how to mitigate against all of the threats that they outline in their report. These are all known mitigations, but good to recap here and assess whether they could be used to help protect your organization:
Office 365 attacks:
Ransomware infections:
Supply chain risks:
If you’re a threat intelligence geek like me, make sure to subscribe to our email list below so you can get more cyber threat trends and updates like these.