Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
A little over a week ago, we wrote a bit about what we knew about the Ransomware-as-a-Service (RaaS) operator group REvil’s (aka Sodinokibi) attack on Kaseya. Now that the dust has settled, we’ll bring you up to speed on what’s happened in the threat landscape so far in this blog.
As of 12 July 2021, Kaseya has announced that all of the needed patches have been released across the VSA Saas infrastructure. Kaseya is continuing to monitor progress and continually posting updates here of ongoing maintenance and patches.
To catch everyone up, REvil was able to gain access to Kaseya via three zero-days tracked under CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120. Kaseya advised customers to shut down its VSA (Virtual System Administrator) service immediately until a fix could be found.
Over the next ten days, Kaseya was able to release patches to fix these issues, which had allowed attackers to exploit flaws that leaked credentials, allowed cross-site scripting, and bypassed two-factor authentication. In the wake of the incident, approximately 1,500 customers were affected.
In a quick and very typical fashion, other criminals decided to take advantage of current events and performed a number of phishing attacks which used the incident as a lure. Luckily, Kaseya warned customers via their update page that spammers were behind these attacks. The attacks took shape as emails containing purported Microsoft patches for Kaseya vulnerabilities but instead served up weaponized links and attachments to unsuspecting users. According to a report from MalwareBytes, this phishing campaign used Cobalt Strike beacons, which, as we’ve discussed before, have become a trendy piece of every adversary’s arsenal.
As Bleeping Computer discovered, there were only two companies who paid a ransom, for whatever reasons. The others were simply unaffected or chose to use backups instead of paying a ransom.
An upside to this attack was that it proved right those in the security community who have advocated for backups over the years. One important thing to highlight is that even though these companies dodged a metaphorical bullet here, there is ransomware that searches for indicators of backups and then encrypts those as well. The attackers in this instance attempted to modify code to do just that but it did not appear to work as planned.
In a final, and possibly unrelated, development, the actors behind REvil seem to have gone incommunicado. In the wee hours before writing this blog, the group’s disclosure site “Happy Blog” was reportedly offline, as some Twitter users discovered:
Also notably absent in recent days was the REvil representative Unknown, who had not been seen on notable forums such as Exploit, and was banned on XSS, as noted in the tweets above. Other underground chatter about the outage is limited, likely due to some Russian-language forums’ hostile attitudes towards discussing ransomware. Some threat actors have speculated that even if law enforcement agencies have successfully targeted REvil, this will not spell the end of the group’s activities. Still, others predicted that the group would reappear under another name or split into smaller groups to attract less attention, which is a thought shared by some researchers in the Twitterverse. One Twitter user noted that it’s not unusual for short-term absences.
However, you spin it, the inaccessibility of the REvil ransomware group’s websites is unusual because the group’s infrastructure has historically been more stable than other ransomware groups. There are possibilities the site’s down from temporary technical issues or upgrades, but it could also signify a law enforcement disruption of the group’s operations. Given the recent absences of REvil representatives, it does pose interesting questions.
Time will only tell, but Digital Shadows (now ReliaQuest) will continue monitoring further insights and any other comments from the underground about this developing situation.
We’ve been talking about this for a long time on our ShadowTalk podcasts and in previous articles: Attacks on the supply chain like this have the potential for disaster, as we saw in this year’s SolarWinds incident, the Accellion breach, and many others previously.
When supply chain attacks happen, it could be a case of a friend, instead of a foe, causing the breach of the network. One could make a pretty decent argument about adding an extra layer of attack surface when it comes to vendors, partners, and other third parties that are linked to your organization through applications and services, much as Kaseya’s VSA application was with so many downstream customers. It may not mean micromanaging everyone else’s security, but some due diligence to ensure partners are doing their best to stay secure or even compliant may go a long way. Digital Shadows (now ReliaQuest) monitors popular breach disclosure blogs that many of these ransomware and extortion groups now run, in addition to catching their online chatter.
While backups seem to have saved the day for many potential victims in this instance, it could be their undoing in the next. However, it’s always a good practice to be disaster-ready and maintain backups, as we’ve talked about before. It might mean building some resilience through a combination of online and offline backups, especially in light of the possibility of backups coming under attack. It also means ensuring the backup images work, and testing the incident response and disaster processes so that all the moving pieces fall into place correctly if the real thing happens.In any case, understanding where those risks lie helps the enterprise stay safe in the current threat landscape. Suppose you’re curious about the intelligence we produce about these and similar attacks (such as the event profile below).
In that case, you can check out Search Light (now ReliaQuest GreyMatter Digital Risk Protection) for seven days or request a demo to see how this type of information might help protect your organization.