IT services giant Cognizant suffers Maze Ransomware cyber attack

Information technologies services giant Cognizant suffered a cyber attack Friday night allegedly by the operators of the Maze Ransomware, BleepingComputer has learned.

Cognizant is one of the largest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue.

As part of its operations, Cognizant remotely manages its clients through end-point clients, or agents, that are installed on customer's workstations to push out patches, software updates, and perform remote support services.

On Friday, Cognizant began emailing their clients, stating that they had been compromised and included a "preliminary list of indicators of compromise identified through our investigation." Clients could then use this information to monitor their systems and further secure them.

The listed IOCs included IP addresses of servers and file hashes for the kepstl32.dll, memes.tmp, and maze.dll files. All of these files are known to be used in previous attacks by the Maze ransomware actors.

There was also a hash for a new unnamed file, but there is no further information about it.

Strangely, when we contacted the Maze operators about this attack, they deny being responsible.

It is possible that an attack was conducted but failed to encrypt any devices.

BleepingComputer emailed Cognizant last night with questions related to the attack but had not heard back.

Threat actors were likely on the network for weeks

If the Maze operators conducted this attack, they were likely present in Cognizant's network for weeks, if not longer.

When enterprise-targeting ransomware operators breach a network, they will slowly and stealthily spread laterally throughout the system as they steal files and steal credentials.

Once the attackers gain administrator credentials on the network, they will then deploy the ransomware using tools like PowerShell Empire.

If it was Maze, it must be treated as a data breach

Before deploying ransomware, the Maze operators always steal unencrypted files before encrypting them.

These files are then used as further leverage to have the victim pay the ransom as Maze will threaten to release the data if a victim does not pay.

These are not idle threats as Maze has created a "News' site that is used to publish stolen data from non-paying victims.

If Maze was not behind the attack as they claim, there is still a good chance that data was stolen as that has become a standard tactic used by ransomware operators.

For this reason, all ransomware attacks must be treated as data breaches.

This is a developing story.

Comments are closed.