BleepingComputer discovered that Cognizant, a large IT managed services underwent a cyberattack last Friday night allegedly by the Maze Ransomware operators.
Cognizant is one of the biggest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue.
As part of its services, Cognizant remotely manages its clients through end-point clients, or agents, that are installed on customer's workstations to push out patches, software updates, and perform remote support services.
Cognizant began emailing their clients on Friday, stating that they had been compromised and added a "preliminary list of indicators of compromise identified through our investigation." Clients could then use this data to observe their systems and further secure them.
The recorded IOCs involved IP addresses of servers and file hashes for the kepstl32.dll, memes.tmp, and maze.dll files. These IP addresses and files are identified to be used in past attacks by the Maze ransomware actors. There was also a hash for a new unnamed file, but there is no further report about it.
Security research Vitali Kremez has issued a Yara rule that can be used to identify the Maze Ransomware DLL.
When we reached the Maze operators about this attack, they denied being liable. In the past, Maze has been hesitant to discuss attacks or victims until negotiations stall. As this attack is very recent, Maze is likely not addressing it to avoid complexities in what they hope would be possible ransom payment.
If the Maze operators led this attack, they were likely already in Cognizant's network for weeks, if not longer. When enterprise-targeting ransomware operators breach a network, they will gradually and stealthily diffuse laterally throughout the system as they steal files and steal credentials. Then they will then deploy the ransomware using tools like PowerShell Empire.
Before using ransomware, the Maze operators continuously steal unencrypted files before encrypting them. These files are then utilized as a further advantage having the victim pay the ransom as Maze will threaten to publish the data if a victim does not pay.
These are not idle threats as Maze has designed a "News' site that is used to publish stolen data from non-paying victims.
If Maze was not behind the attack as they claim, there is still a good possibility that data was stolen as that has become a regular tactic used by ransomware operators. For this reason, all ransomware attacks must be treated as data breaches.