Newest Maze ransomware victim – IT giant Cognizant


Cognizant began sending a list of relevant ICOs to clients amid Maze ransomware attack

Maze hits Cognizant

Maze hits Cognizant

Cognizant, one of the largest American IT service providers, has suffered a cyberattack, and bad news is that the culprit is Maze ransomware. Immediately after the intrusion, indicators of compromise (IoCs) were identified and now are being delivered to Cognizant clients to prevent them from suffering the same fate.

Cognizant employs more than 300,000 people worldwide and is one of the Fortune 500 companies. Besides providing analytics, business intelligence, supply chain management, system integration, and other services, Cognizant also consults and provides another type of support remotely via end-point clients installed on computers.

The IT giant has spotted the intrusion on Friday evening when most of the staff leave to go home. Such development is not uncommon for large-scale cyberattacks, as the perpetrators are aiming to cause the maximum amount of damage during off-work hours.

On Saturday, April 18, the company published a press release regarding the attack, although there was no information about how the malware got into the company or which clients were affected:[1]

Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack.

Cognizant is informing clients and taking other appropriate actions

Upon discovering the Maze ransomware attack, Cognizant immediately began an investigation, employing internal and external sources to contain the intrusion. Additionally, the company also contacted the appropriate law enforcement agencies.

Since Cognizant provides remote services to other companies, many of the clients might get infected with Maze as well. To prevent that, the IT giant began sending clients ICOs and other technical data related to the attack. Some of the delivered information includes relevant IP addresses that malware uses, as well as hashes of relevant malware files that were previously used in Maze ransomware attacks (maze.dll, memes.tmp, and kepstl32.dll). If identified on time, these ICOs can help third-parties to secure the vulnerable systems.

While no information on how the attack occurred was provided, security researchers like Vitali Kremez believe that the main distribution sources are RDP and other remote services.[2] Also, it is highly likely that Maze actors penetrated Cognizant’s servers much earlier – possibly weeks earlier – than the actual attack was performed, spreading the infection laterally, all while hunting for the administrator’s credentials. Once the intrusion is successful, the attackers infect systems with Maze ransomware by using tools like PowerShell Empire.

Since Cognizant ransomware attack happened just recently, Maze ransomware authors did not claim responsibility. This is not uncommon, as the developers do not want to compromise negotiations of ransom payments during this critical period of the initial infection.

Maze ransomware actors can expose sensitive details publicly

Maze is one of the major players in the illegal ransomware business, attacking a multitude of high-profile organizations and businesses worldwide. Its previous targets include wire and cable manufacturer Southwire, Medical Diagnostic Laboratories (MDLab), City of Pensacola,[3] and many others. The first sightings of malware were spotted in the summer of 2019, and since then, the actors have been expanding its operations rapidly.

Now with Maze hitting Cognizant, it is yet unknown what type of development of events will follow. Even if the IT giant possesses working backups and can restore their systems in time, Maze ransomware can damage the company in other ways. Namely, by exposing sensitive data online for everybody to see, hence Maze attack should be considered as a data breach by default.

Soon after Maze actors began their operations, they began employing a new trend among ransomware strains – harvesting unencrypted versions of documents and other data and place it on remote servers. By hijacking this sensitive, company-related information, actors acquire another point that plays to their advantage – disclosing such data might be devastating to any company. Threat actors crafted a special website for that, and are regularly publishing information stolen from their victims. This practice has become a standard among most prominent ransomware strains, including Sodinokibi,[4] Doppel Paymer, Nefilim,[5], and many others.

According to Sophos security researchers, companies are often aware of potential security flaws within the IT infrastructure:[6]

The challenge is that today’s successful compromises reflect the security weaknesses that have built up from yesteryear. Companies sometimes suspect that they have weaknesses but simply fail to find them as quickly as the attackers do.