Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
One month ago, the Russian government began the invasion of Ukraine, triggering one of the most severe security crises in Europe since the collapse of the Soviet Union in 1992. The Photon Intelligence Team has been constantly analyzing the development of this war, providing assessment about the involvement of hacktivism in this conflict, practical advice for security leaders, and tips on how to use intelligence requirements to shape your response to the emerging cyber threats. These resources, along with various other relevant blogs and podcasts, can be found here.
As a consequence of this war, many organizations that had economic or geopolitical ties with Ukraine or its allies raised their internal cyber threat level. The Russian Federation has repeatedly demonstrated to be one of the most sophisticated actors in the cyber domain. So far, attacks against Ukrainian organizations have included defacement attacks, Distributed Denial of Service (DDoS) attacks, and the deployment of various wiper malware. Despite the fact that we haven’t yet observed any large-scale destructive cyber attack, it is realistically possible that we will do so in the coming weeks if the conflict were to further escalate. The USA is well aware of this possibility, which has been highlighted in a recent statement by US President Joe Biden.
For this reason, I have decided to focus our monthly vulnerability intelligence blog on three CVEs directly or indirectly related to this conflict. Either way, all the CVEs discussed in this blog have available patches so, if you haven’t already done so, this is the time to harden your security!
Between 13 and 14 January 2022, a Russian-attributed threat actor defaced the websites of more than 70 government agencies in Ukraine, impacting the Ukrainian Foreign Ministry, the Ministry of Education and Science, and other state services. These attacks rendered several of these websites inaccessible, and left threatening messages for Ukrainian citizens, stating that they should “be afraid and expect the worst”.
The following day, Microsoft announced that it detected a destructive wiper malware “WhisperGate” being installed onto computer systems hosting the defaced government websites mentioned above. The WhisperGate malware was designed to initially look like ransomware, although its true purpose was to destroy or render Ukrainian government systems inoperable.
According to this threat brief, threat actors had likely gained initial access to these websites by exploiting CVE-2021-32648, a vulnerability lying within the OctoberCMS platform prior to version 1.0.472 which allows attackers to gain access to any account via a specially crafted account password reset request.
A public proof of concept (PoC) for this vulnerability was published on GitHub on 14 January 2022, on the second day of the Ukrainian website defacement attack. This PoC allowed organizations to fully grasp how this vulnerability works and how threat actors may have exploited it. A countermeasure for this vulnerability was then published on 09 Feb 2022.
As part of the malicious cyber activity that Russia conducted against Ukrainian targets, the deployment of wiper malware has probably been the most prevalent and pervasive based on what we have observed so far. Security researchers identified at least three different malware strains in the first weeks of the conflict, namely HermeticWiper, IsaacWiper, and Caddy Wiper.
In one instance, security researchers observed attackers exploiting CVE-2021-1636, a known vulnerability in Microsoft SQL Server, to gain an initial foothold in one of the Ukrainian organizations. The access in the victim environment was reportedly used to deploy and then execute HermeticWiper on the attackers’ target.
The same report also claims that the same attackers likely exploited vulnerabilities in Microsoft Exchange Server and Apache Tomcat to steal and dump credentials, run PowerShell commands, and execute malware. As such, it is likely that the threat actor behind these attacks is technically sophisticated and maintains a wide toolbox of potential intrusion vectors.
On 15 Mar 2022, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory containing technical details and mitigations related to the ability of Russian state-sponsored cyber actors to gain network access through exploitation of default multi factor authentication (MFA) protocols and CVE-2021-34527, a known vulnerability affectingWindows Print Spooler, widely referred to as “PrintNightmare.”
According to the advisory, Russian-state sponsored threat actors have repeatedly exploited PrintNightmare to run arbitrary code with system privileges. This privilege escalation technique was later used to access cloud servers and email accounts, with the ultimate goal of exfiltrating sensitive information.
PrintNightmare is a vulnerability that has been exploited by a wide number of threat actors and malware operators since it’s been disclosed. The Associations tab in Digital Shadows (now ReliaQuest)’ Vulnerability Intelligence portal helps security professionals analyze the various links malicious actors had with this vulnerability and thus shows how severe this vulnerability can be. Patching this vulnerability should be a high priority for organizations concerned about Russian-state sponsored cyber actors during these tense times.
As we’ve highlighted in this blog, vulnerability intelligence can be an incredible asset for fine-tuning your vulnerability management process. By understanding the context behind individual vulnerabilities, security teams can move away from solely using CVSS scores and instead focus on what matters to your organization. Too many vulnerabilities and far too little time are common sentiments among the security community; at Digital Shadows (now ReliaQuest), we pride ourselves in allowing our clients to reduce the noise and focus on what matters. Taking a risk-based approach is the most effective method of targeting vulnerabilities, which will ultimately have the most significant impact on reducing your overall cyber risk.