US multinational corporation Cognizant has been struck by a cyberattack allegedly made by Maze ransomware.
Worth more than $15bn (£12bn) and employing almost 300,000 personnel, Cognizant is among the world’s largest providers of managed IT services.
As an integral element of its services, Cognizant manages its clients remotely using agents or end-point clients set up on customer workstations, so it can roll out software updates, patches and carry out other support services at a distance.
Identifying the origin of attack
Last Friday, April 17, Cognizant started sending emails to its client base, informing them the company had been compromised. A list of preliminary indicators of a compromise was included in the missive in the hope that clients could use it to monitor and secure their systems.
The indications of compromise included file hashes and IP addresses for maze.dll, memes.tmp and kepstl32.dll files. These files and IP addresses have been commonly utilised by the ransomware actors Maze in their cyberattacks.
When contacted regarding the attack on Cognizant, Maze operators denied any responsibility. In previous times, Maze has not always come forward to discuss such attacks or their targets until they reach a point where negotiations stall. Due to the cyberattack being very recent, there is a possibility that Maze may not be discussing their attempt to hit Cognizant because the organisation does not wish to cause complication to what could potentially result in a ransom payment.
After it reported the threat to its clients, Cognizant followed up the move with a statement posted on its website to confirm that Maze ransomware is the cause of the attack:
“Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack. Our internal security teams, supplemented by leading cyber defence firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities. We are in ongoing communication with our clients and have provided them with Indicators of Compromise (IOCs) and other technical information of a defensive nature.”
Penetration planned over time
If Maze operators carried out the attack on Cognizant, it is likely they have been present in the company’s network for some time – potentially weeks or even longer. When ransomware operators who target enterprises successfully breach a company network, they slowly and discreetly spread throughout a system, stealthily obtaining both files and credentials. They work their way laterally towards gaining administrator credentials that provide them with authority and access, then deploy their ransomware making use of post-exploitation frameworks such as PowerShell Empire.
If Maze is responsible for the attack, it must be acknowledged and treated as a serious data breach. Its method of attack involves stealing unencrypted files and then encrypting them. The files are then used to extort a payment, and if the organisation refuse to pay the requested ransom, Maze threatens to publish the stolen sensitive data on its “News” site.
Ensure your files are encrypted both at rest and in transit at all times. Galaxkey email, document and workspace encryption will help you do that.