Olivier Le Moal - stock.adobe.co

IT services company Cognizant warns customers after ‘Maze’ ransomware attack

US IT services company Cognizant alerts customers after the Maze ransomware group launches a cyber attack

Cognizant has warned that a cyber attack by the Maze ransomware group has hit services to some customers.

The IT services company, which has a turnover of over $16bn and operations in 37 countries, said the attack, which took place on Friday 17 April, had caused disruption for some of its clients.

Cognizant, which supplies IT services to companies in the manufacturing, financial services, technology and healthcare industries, confirmed the attack in a statement on Saturday 18 April.

Its customers include financial services companies ING and Standard Life, automotive company Mitsubishi Motors, and HR services company PeopleSoft.

The company said it was providing its clients with technical information that would allow them to detect attacks on their IT systems and to put security defences in place.

It has not disclosed which of its clients have been affected by the attack.

“Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack,” it said in the statement.

“We are in ongoing communication with our clients and have provided them with indicators of compromise (IOCs) and other technical information of a defensive nature.”

Cognizant said in a regulatory filing that the attack may result in a loss of revenue and incremental costs that may adversely impact its financial results.

Managed service providers

Ransomware groups frequently target managed service providers (MSPs), which provide services to other businesses, to exert maximum pressure on them to pay ransom demands quickly.

The attack is the latest in a string of cyber attacks by the Maze ransomware group against businesses. It struck Chubb Insurance and medical research company Hammersmith Medicines Research in March.

The Maze group attempts to blackmail its victims by demanding a ransom payment to decrypt files in a company’s computer systems and threatening to publish confidential files stolen from the company’s computer systems unless its demands are met. The group regularly publishes confidential data stolen from companies on internet forums.

According to a report in the Times of India, Cognizant CEO Brian Humphries wrote to employees saying there was no evidence that the ransomware that impacted Cognizant’s IT systems had infected its clients’ networks.

“While this is a fluid situation, we see no evidence that the ransomware that’s impacted some of our systems is propagating to client environments,” Humphries said in a note quoted by the paper.

“Although we are still in the early stages of responding to this attack, I am confident we will successfully make our way through this cyber incident. It may be slim consolation, but we are not alone in being victims. Sophisticated ransomware attackers have successfully penetrated many other companies this year, including banks, defence contracting firms and professional service firms,” he said.

Software vulnerabilities

The Maze hacking group relies on Exploit kits, which contain software designed to attack known software vulnerabilities to penetrate company defences.

The hacking group has also used phishing emails to deliver malware to employees who may be tricked into downloading malicious software.

Cognizant has not disclosed how the attackers were able to access its systems.

Analysis by security company Bad Packets on 1 January 2020 identified five devices with Citrix vulnerability in Cognizant’s Trizetto healthcare solutions group in the US.

According to a security advisory notice, exploits were available that could have allowed attackers to execute arbitrary code on computer systems with the vulnerability. Cognizant had fixed the issued by 14 February.

The Maze group has denied responsibility for the incident, according to Bleeping Computer, which first reported the attack.

However, according to the Bleeping Computer report, the IP addresses of servers and hashes of files shared by Cognizant with its customers have been used in previous Maze ransomware attacks.

Brett Callow, a threat analyst at Emsisoft, said the Maze group was nevertheless likely to be responsible for the attack.

Research by Chainanalysis Insights shows that companies’ willingness and ability to pay ransom fees to cyber criminal groups has fallen significantly during the Covid-19 coronavirus crisis.

“I suspect the denial is simply a case of the criminals taking a more softly-softly approach and enabling their victims to set the schedule for the release of information,” said Callow.

He said that if Maze had taken customer data from Cognizant, its clients may be at risk of fraud or cyber attack.

“If customer data were exfiltrated during the attack, it’s possible that those customers could be targets for spear phishing attacks, business email compromise (BEC) scams or other forms of fraud, so Cognizant has absolutely done the right thing in notifying them promptly,” he said.

The IT services company said in statement on Saturday that its internal security teams and leading cyber defence companies were responding to the attack. “Cognizant has also engaged with the appropriate law enforcement authorities,” it said.

Update: Maze attacks multiple US insurance companies

The Maze cyber crime group last night  (21 April) published confidential internal documents stolen from multiple US insurance companies after launching ransomware attacks on 14 April.

The companies impacted are the Tennessee based insurance companies: US Administrator Claims, Madison Insurance Group, Cornerstone Underwriting Partners, AIC Underwriters and Jackson Plaza.

Other companies hit by the attack are Applied Underwrites in Omaha and American Builders Insurance Company in Alabama.

Next Steps

Engineering firm thwarts ransomware attack with Nasuni

Read more on Data breach incident management and recovery