WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Across the cyber industry one notion rings truer than most: Threat actors are getting smarter, and we need to do something about it. The goal is to build a world in which cyber security analysts can be confidently proactive, instead of reacting to emerging threats. This very issue is the same reason why both threat intelligence and automation have been top of mind for cyber security leaders since intrusion detection systems (IDS) came to life. However, the birth of IDS technology was a mere hurdle for more savvy threat actors. They found ways to layer, obfuscate, and live off native computer processes, all in order to defeat and evade the myriad of security tools we depend on today. Agent Tesla happens to be one of these sophisticated tools. Being marketed and sold on its own website, the malware has been made widely available to individuals of all technical skill or lack thereof.
It’s no surprise why Agent Tesla has grown so popular in the eyes of threat actors. The ease of use setting up the malware is as simple as checking off boxes on a GUI (graphical user interface). The “official” purchase website has a full tech support team to help you with any and all utilization questions. All marketing of the malware claims that it is a keylogger meant for personal usage only. The malware’s creator (who is thought to be a young man from Antalya, Turkey named Mustafa can Ozaydin) publicly states that the Agent Tesla software should only be used to monitor the buyer’s personal computer. However, both the purchase website and customer service platform have been sighted providing instructions on how to best exploit vulnerabilities and avoid antivirus software.
Agent Tesla is purchased on a monthly subscription format, with four different tiered configurations: Bronze, Silver, Gold, Platinum, each providing different levels of capabilities and customer service. Upon subscribing, users gain access to a dashboard and, with a few clicks, customize what information the malware targets and how the data is exfiltrated.
It is worth noting that after Krebs on Security published an article on Agent Tesla in 2018, the sellers of the malware appear to have either grown flustered or scared, and updated their site stating they “would be suspending sales of the product for a while and banning users found to use Agent Tesla ‘inappropriately.’” As this statement was made within October 2018, It appears that Agent Tesla is back to its old ways. Beginning on June 10th, 2019, Agent Tesla has consistently ranked as one of the top 3 trending malware. However, it has recently been ranking consistently at the number one spot. From what we know about the malware, we can infer that this is due to its usage within COVID-19 phishing campaigns. The nature of the malware makes it perfect for opportunistic threat actors looking to take advantage of panicking business within the healthcare, government, and finance sectors.
In order to defend your enterprise from this ongoing threat, knowledge is one of your best lines of defense. Recent research has identified Agent Tesla being delivered within email attachments by the names of “COVID 19 NEW ORDER FACE MASKS.doc.rtf”, “COVID-19 Supplier Notice.zip” or something along those lines. When a user clicks to download the file, the malware can execute within the impacted device without additional user interaction. Specifically, Agent Tesla is a remote access trojan (RAT) written in .Net. If an attacker is able to fully deliver this RAT onto your device, they will have achieved full computer and network access. The tool specializes in stealing credentials, sensitive information, and keystrokes.
Even more worrisome, it possesses form-grabbing capabilities, allowing it to avoid HTTPS encryption. Form-grabbing lets Agent Tesla pull information directly from a web form before it is passed through the internet. This capability also can snag inputs from virtual keyboards, autofill, and copy or paste if configured to do so. Recent Agent Tesla campaigns have exploited Microsoft Office vulnerabilities residing within Microsoft Office’s inability to properly handle objects in memory securely. Analyzing the capabilities of Agent Tesla, it is clear why we are seeing this impact the healthcare, government, and finance sectors.
The attack sequence looks like the following:
A victim receives a phishing email with a title that entices the user to open the message. Within the message, an attachment resides by the name of “COVID 19 NEW ORDER FACE MASKS.doc.rtf”. The naming scheme suggests that it is just a Microsoft Office document, but it is actually an RTF file that exploits CVE-2017-11882, which is a stack-based buffer overflow vulnerability present in the Microsoft Equation editor tool. This vulnerability allows the attacker to run arbitrary code and after successful exploitation, deliver the Agent Tesla payload. This dropped payload performs code injection, impacting a known windows process by the name of RegAsm.exe. The injected code in RegAsm.exe performs all info-stealing activity and sends it to the command and control server.
These opportunistic threat actors do not appear to be on the verge of slowing down or stopping any time soon. The current social climate is too vulnerable of an environment for attackers to not make attempts at compromising key enterprises. Due to the nature of this threat, the following mitigation procedures should be quickly implemented:
In addition, having the ability to quickly detect, investigate, mitigate, and report on risk are essential security actions to protect your organization from these types of threats. As attacks like Agent Tesla are growing continually more complex, it is essential to ensure your enterprises security devices are working at maximum efficiency. We can see by looking at Agent Tesla there are multiple key opportunities for security teams to catch and prevent malware. Tools such as email security, windows security, antivirus, firewalls, and IDS/IPS can help identify a potential compromise; however, these tools possess limited native integration and correlation capabilities. A scattered security architecture creates limited visibility, which leads to the type of blind spots hackers love to exploit.
ReliaQuest GreyMatter integrates and normalizes data from disparate technologies including SIEM, EDR, multi-cloud, and point tools, on demand, so you always have a unified view to immediately and comprehensively detect and respond to threats from across your environment all within the GreyMatter UI.
Get the most of your threat intelligence for higher fidelity detection and response. Read the white paper for more information!