Information technology services giant Cognizant has been accused of cyber-attack on Friday night by Maze ransomware operators, reported.
Cognizant is one of the world’s largest IT managed services companies with over 300,000 employees and over 15 billion revenues.
As part of its operations, Cognizant remotely manages its clients through end-point clients or agents, which are installed on the customer’s workstations to handle patches, software updates, and remote support services.
On Friday, Cognizant began emailing their clients, stating that they had compromised and added “a preliminary list of compromise indicators identified by our investigation.” Clients can use this information to monitor their systems and make them more secure.
Listed IOCs include servers IP addresses and file hashes for the kepstl32.dll, memes.tmp and maze.dll files. These IP addresses and files have been used in previous attacks by Maze ransomware actors.
There is also a hash for an unnamed new file, but no more information about it.
Security research has released the Vitaly Kremez Yara Rule, which is used to identify maze ransomware DLL.
When we contacted the maze operators about the attack, they denied that they were responsible.
In the past, Maze has been reluctant to discuss attacks or victims until negotiations cease. Since this attack is so recent, Maze has not discussed it in order to avoid problems in what they hope is a ransom payment.
After reporting the attack, Cognizant posted a statement to their website, which was confirmed by cyber attack maze ransomware:
Cognizant can ensure that a security incident associated with our internal systems and some of our clients are interrupted by services as a result of a maze ransomware attack.
Our internal security teams, which have been replaced by leading cybersecurity agencies, are actively working to prevent the incident. Cognizant is also engaged with appropriate law enforcement officers.
We are in ongoing communication with our clients and have provided them with Indicators of Compromise (IOCs) and other technical information of a defensive nature.
Bullying actors have been on the network for weeks
If the maze operators carry out the attack, they may stay on Cognizant’s network for weeks, if not longer.
When enterprise-targeting ransomware operators breach the network, they can spread the system slowly and stealthily as they steal files and steal credentials.
Once the attackers gain administrative credentials on the network, they run ransomware using tools such as PowerShell Empire.
If it’s a maze, it should be considered a data breach
Before running ransomware, Maze Operators stole unencrypted files before decrypting.
These files are used to leverage the victim’s ransom because Maze threatens to release data if the victim doesn’t pay.
These are not passive threats because Maze created a “news” site that can be used to publish stolen data from unpaid victims.
If they are not behind the maze attack, as they say, there is still a good chance that data will be stolen, as this has become the standard strategy used by ransomware operators.