Cognizant manages its customers on a remote basis through end-clients or agents installed on workstations, to move updates, upgrade software and provide remote support services. On Friday, Cognizant sent an e-mail to its customers announcing their vulnerability and offering a ‘preliminary list of vulnerability indicators found through our survey,’ which will then be used by customers to track and further protect their systems. The identified IOCs included IP addresses of the kepstl32.dll, memes.tmp, and maze.dll server and file hackers. Such IP addresses and files are known to be used by Maze ransomware actors during previous attacks. There was also a hash for a new unnamed file, but no more details. Vitali Kremez has published a Yara rule that can be used to detect Maze Ransomware DLL on security study. If the Maze operators have been approached for this attack, they refuse to be responsible. During the past, Maze was unable to address attacks or victims until the talks ended. Because this assault is very new, Maze probably won’t discuss it to prevent repercussions about what he hopes could be a ransom payment. Upon reporting on this assault, Cognizant posted on their website a statement stating that Maze Ransomware was the cyber attack. If the Maze operators carried out this assault, then they were possibly present in the Cognizant network for weeks, if not longer. As company-targeting ransomware operators breach a network, they spread gradually and steadily through the entire system while stealing data and stealing credentials. After the attackers obtain the administrative credentials on the network, they use tools like PowerShell Empire to deploy the ransomware. The Maze operators often steal unencrypted files by using ransomware by encrypting them. Instead, these files are used to make the victim pay the ransom because Maze threatens to reveal details if a victim doesn’t pay. Those aren’t frivolous threats because Maze created a “News site,” which is used to publish stolen data from non-paying victims. If Maze wasn’t behind the attack because they claim, the odds are the data is taken as it has become a common technique used by ransomware operators.
Reviewing & mitigating against the usual Maze TTPs (including RDP + remote services as an attack vector) is advisable. ✅Pushed #YARA↘️https://t.co/qcUY464fSf pic.twitter.com/z2zHL5apkm — Vitali Kremez (@VK_Intel) April 18, 2020 If the Maze operators have been approached for this attack, they refuse to be responsible. During the past, Maze was unable to address attacks or victims until the talks ended. Because this assault is very new, Maze probably won’t discuss it to prevent repercussions about what he hopes could be a ransom payment. Upon disclosing this attack, Cognizant released a statement on its website stating that Maze Ransomware was involved in this cyber attack: The Maze operators often steal unencrypted files by using ransomware by encrypting them. Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities. We are in ongoing communication with our clients and have provided them with Indicators of Compromise (IOCs) and other technical information of a defensive nature. Instead, these files are used to make the victim pay the ransom because Maze threatens to reveal details if a victim doesn’t pay. Those are not empty attacks, because Maze has developed a “news” platform which is used to publish the robbed data of non-paying victims. If Maze hasn’t been behind the attack because they say there is still a fair chance that information has been stolen, as it has become a common technique used by ransomware operators.
