Scammers Going After Vulnerable Users, AARP Reports Spike in Fraud Cases

Information technologies company Cognizant was the target of a cyber attack by the threat actors behind the Maze ransomware last week. Cognizant is one of the largest companies working with IT management, with almost 300 thousand employees and over $15 billion worth in revenue.

As part of the company's operations, Cognizant manages clients through agents or end-point clients, installed on customer workstations and sending off patches, software updates, and performing remote support services. Cognizant started emailing clients last Friday, saying they were compromised. The email had a list of indicators of compromise the company found through their investigation. Clients were then able to use this information on their systems to secure them from further attacks.

The listed information included IP addresses of servers and the file hashes for kepstl32.dll, memes.tmp, and maze.dll. The IP addresses and files were known to have been used in previous attacks by the threat actors behind the Maze ransomware. There was an unnamed file's hash as well, with no further information regarding it. TheMalwareTeam security researcher Vitali Kremez released a Yara rule that may be used to detect the Maze ransomware DLL.

Maze actors deny involvement

The Maze operators denied being responsible for the attack when security researchers contacted them. In the past, Maze was unwilling to discuss attacks or victims until the moment negotiations grind to a halt. Due to the recent nature of the attack, Maze is again unwilling to discuss it to avoid issues with potential ransom payments by victims.

When Cognizant made their report on the attack, they posted a statement on their website that confirmed the Maze ransomware caused the cyberattack. The company mentioned a security incident was investigated by their internal security team, helped by leading cyber defense companies. Cognizant also engaged the help of law enforcement to work on the problem. Ongoing communication with clients provided the company with indicators of compromise and other information.

Maze threat actors were likely active for weeks

The Maze operators that made the attack were likely present in the Cognizant network for weeks or more, according to researchers. When the ransomware operators attack a network, they usually spread inside it as quietly as possible. That is done with the idea of stealing files and credentials while avoiding detection for as long as possible. Once the attackers gain access to credentials on the network, they deploy ransomware tools with the help of tools such as PowerShell Empire.

Before the ransomware is deployed, the Maze operators steal unencrypted files before encrypting them. These files are then used to push the victims to pay a ransom, with Maze threatening to release the data on the dark web if the victims avoid payment. The threat actors deliver on their threats, as they have a website with a 'News' section where they publish stolen data from victims who refuse to pay. Assuming Maze wasn't involved in this particular case, as they claim, it is still possible another operator stole the data.