Cognizant, a large IT service provider, has been attacked by the Maze cryptographer. The attack led to interruptions in the service of some customers.Cognizant provides on-premises and cloud services for other companies around the world, including technology, consulting and operational (the company’s specialists remotely control their customers’ machines to install patches, update software, provide remote support services, and so on).
The company has approximately 300,000 employees worldwide, and it ranks 193 on the Fortune 500 list. Among its customers are large banking organizations, healthcare, manufacturing and many others.
Last weekend, the IT giant confirmed that it had suffered from a cryptographic attack, saying that the company’s systems were infected with the Maze ransomware. It is not yet reported exactly how many systems were damaged, but it is known that the incident led to interruptions in the service of some customers, and, in theory, created a threat to them.
Representatives of the company have already contacted law enforcement agencies and published indicators of compromise for their clients, including the IP addresses of servers and hashes of the kepstl32.dll, memes.tmp and maze.dll files. The IP addresses and files listed in this list have already been used in previous Maze attacks.
Based on this data, information security expert Vitaliy Kremez prepared the Yara rule, which can be used to detect the Maze ransomware DLL.
High alert related to the yet another ransomware attack perpetrated by the Maze group possibly affecting @Cognizant. Reviewing & mitigating against the usual Maze TTPs (including RDP + remote services as an attack vector) is advisable”, — wrote Vitali Kremez in his Twitter and gave a link on Yara on GitHub.
Bleeping Computer journalists reported that Maze operators refused to discuss this attack with them and did not take responsibility for hacking Cognizant. Most likely, hackers are not ready to discuss this incident in order not to complicate the situation while the ransom discussion is ongoing (similar precedents already existed).
The attackers were probably present on the Cognizant network for many weeks and gradually moved further and further, compromising more and more systems. Before deploying the ransomware, Maze operators always steal company files and then use the stolen information against the victims as an additional lever of pressure. So, the ransomware threatens to release the stolen data if the victim does not pay”, – note Bleeping Computer reporters.
Unfortunately, these threats cannot be called groundless, since the group has a special website, where published the data of companies that refused to pay.
User Review( votes)