With Cognizant attack, Maze ransomware finds its way into IT services supply chain

The Maze ransomware is an expert at bamboozling its victims — even Fortune 500 companies.

Maze hit IT services provider Cognizant last week, but it's likely the malware was lurking in the networks for weeks.

For Cognizant's clients — including five of the top 10 information services companies in the world and 30 of the global pharmaceutical companies — a ransomware attack is a worst case scenario for those with weak supply chain security management.

Defending against one strain of ransomware is defending against all of them; it's done by eliminating outdated software or education on phishing. However, compatibility issues challenge software updates.

"Internet Explorer has been jettisoned by the vast majority of organizations in favor of Chrome, Firefox, and Edge," Vinay Sridhara, CTO at Balbix, told CIO Dive. But every company has — and will always have — remnants of old applications.

Clients of Cognizant have a role to play too. Depending on the severity of breached data or systems, law enforcement and privacy watchdogs will question how companies vet their providers or perform due diligence.

Companies have to be prepared to answer:

How many services do they outsource? Where is the service provider located?
What security agreements exist between the customer and the service provider? Where do other subcontractors fit into security?
Does the service provider have enough resources to implement a cybersecurity supply chain program?
What does the vendor's continuous threat monitoring program look like?

Companies should also consider using the "3-2-1 rule," Sam Roguine, director at Arcserve, told CIO Dive. The rule is "keeping at least three copies of data, stored in two in different locations, with one being located offsite."

Maze's calling card is ransomware coupled with a data breach. "What makes Maze so unique is that they are one of the few groups following through on threats to publish data they encrypt and extort if ransoms aren't paid," according to Roguine.

While an investigation is underway, there's no way of knowing whether Maze's operators will publish stolen files. The liability of a data breach is dangling over Cognizant and its clients.

"If an organization has shared data with a vendor breached by Maze, the data has already left that vendor's network and is now in somebody else's hands," Sridhara said.

In an internal memo to employees, Cognizant CEO Brian Humphries said there is no evidence suggesting Maze is "propagating to client environments," reported The Times of India.

Companies with weak supply chain security management could be brought to their knees during an incident. Clients of Cognizant are "protected" by issues with vendors through non-disclosure agreements, but a piece of paper is "impossible to defend oneself against a cyberattack on a partner on their own," Evgeny Gnedin, head of Information Security Analytics at Positive Technologies, told CIO Dive.

Into the Maze

Maze is a complex piece of malware stumping IT companies, medical companies, cities, and everything in between.

Exploit kits — Fallout and Spelevo are the most used — simplify how bad actors target a system riddled with possible exploits. The most common kit used for propagating Maze is leveraging critical or high severity CVEs dating back to 2018, according to Sridhara.

The FBI issued a warning for U.S. companies regarding Maze in January, after the ransomware targeted Pensacola, Florida in December. "From its initial observation, Maze used multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors," according to the alert, obtained by CyberScoop.

Researchers have determined the ransomware drops tricks throughout its infection. "The malware starts preparing some functions that appear to save memory addresses in global variables to use later in dynamic calls though it does not actually use these functions later," according to McAfee.

The malware moves onto "debugger" detection by using the "IsDebuggerPresent" process environment block field, according to McAfee. If the malware finds a debugger, it remains "in an infinite loop without making anything while wasting system resources."

For each process, the malware creates custom names, algorithms associated with them, and a hash. "If the hash is found in this list the process will be terminated."

Eventually, Maze creates a lock or mutex to look for whether or not it can access the system's mutex: ERROR_ACCESS_DENIED or ERROR_ALREADY_EXISTS. Either error keeps the malware in execution but stops short of "crypting" files and reports using none of the processor.

When Maze encrypts files, it infiltrates it simultaneously, according to Sridhara. It is a signature move of the operators; hold onto valuable data to publicly publish online later.

The malware can ride out "vaccines," evolving regularly to avoid deterrents. Eventually Maze moves to deleting shadow copy, or backups before and after "crypting" files.

Now is when the operators behind Maze show their skill. The malware is able to outsmart antivirus programs.

Antivirus protection is used for widespread attacks, not for the ones designed specifically for a targeted entity, said Gnedin. "An integrated approach is needed for protection."

By the time the ransom note is prepared, the hackers have the RSA private key BLOB for decrypting the public RSA key BLOB.

It's "nearly impossible to prepare for one specific strain of ransomware," said Roguine, as other "gangs" might find their own flavor of attack depending on the target.