Cognizant was recently hit by the Maze ransomware. Maze is known for publicly shaming companies by leaking their data online until they pay a ransom, limiting the efficacy of backups in mitigating damage. The exact attack vector is still unknown, but SKOUT advises companies to implement MFA, strong endpoint protection, and audit user permissions, among other things. A full list of recommendations can be found below.
Technical detail and additional information
What is the threat?
The United States IT giant Cognizant has released an incident update confirming that they have been affected by “Maze” ransomware. The statement itself is relatively light on details and serves mostly to confirm the type of ransomware and that company is taking the necessary steps to address it. The exact vector of the attack is currently unknown, but Maze has in the past been distributed through vectors such phishing attempts, exploit kits, and brute forcing weak RDP passwords. Cognizant is hardly the first company to fall victim to ransomware, or even Maze specifically, in the recent months. If this compromise plays out similarly to previous compromises, then Cognizant will have had a huge amount of their data encrypted and stolen, and will be disseminated to a dedicated “Maze news” site or anywhere that they can be sold (or used to compromise others) for profit.
Why is this noteworthy?
Cognizant is a huge multi-national IT service provider, and a compromise of their organizational information can have dire ramifications for not only Cognizant, but also the many partners and clients that they are associated with. In previous compromises the actors behind Maze have proven they are more than willing to publicly shame any company that does not meet their demands and will list any information that is not valuable on their personal news site. As for what is done with the valuable information, the actors claim it will be sold off on the dark web, and any information that is used to cause further compromise will be noted and used to shame the original owner for not paying the ransom. This compromise comes on the heels of the alleged Maze compromise of cybersecurity insurance company “Chubb”, indicating that the actors behind Maze are active and successfully compromising large organizations on a regular basis. The Maze malware itself is quite sophisticated and possesses the ability to terminate many debugging tools used to analyze it and is capable of avoiding detection.
What is the exposure or risk?
The clearest risk to Cognizant and any organization they are associated with is the content of the stolen information. The exact nature of this information cannot be known at this time, but previous ransomware attacks have shown malicious actors can encrypt and steal information ranging from critical company financial information and trade secrets to personal information about customers. With the theft of this information not only is the brand reputation of Cognizant permanently damaged, but the potential theft of customer data could have far-reaching legal repercussions and cause untold financial damage. Aside from the damage done by the theft of the information itself, the stolen data may never be returned, or at least returned intact. Additionally worth considering are the potential further security risks that are posed to the network as it has already been compromised once, and this may have exposed it to further attacks.
What are the recommendations?
While the exact vector of the attack is unknown, there are general recommendations that can harden your environment against similar ransomware attacks:
- Have a strong password policy in place, possibly implementing multi-factor authentication (MFA) if possible.
- Have a data backup and recovery plan in place for any mission-critical information and have the most critical information stored isolated from the network. Regularly test these backups to ensure they function correctly and gauge their performance in the event of a real crisis.
- Ensure your systems are updated with the latest security patches.
- Employ the use of EDR applications, such as Cylance to ensure that any attempts at exploitation are quarantined before any damage can be done.
- Educate employees on the common vectors for phishing, which is the most common source of ransomware.
- Audit user permissions and practice the principal of least privilege, ensuring only necessary access for each user.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.