Cognizant: Some Employee Email Access Lost After Maze Attack

In a statement to CRN, the company said employees are maintaining contact with clients through ‘a number of communications channels.’

ARTICLE TITLE HERE

Cognizant’s internal directory was deleted during the Maze ransomware attack, leading to a communications loss inside and outside the company, preventing some workers from contacting customers, according to a source.

Following the attack, the software the solution provider used to communicate across its system was cut off, leaving sales teams with no means of contacting customers, and customers with no means of contacting sales teams, the source said.

When asked about the deletion of the internal directory, Cognizant told CRN the communications problems were limited to a “small percentage of associates.”

id
unit-1659132512259
type
Sponsored post

“We cannot comment in detail, but we can say that while a small percentage of associates on a legacy email system have their access restricted, we have maintained contact with our clients and prospective clients through a number of communications channels,” the company said.

[RELATED: Cognizant Breach: 10 Things To Know About Maze Ransomware Attacks]

One of the challenges has to do with keeping communications open between the parent company and a number of recent acquisitions that Cognizant has made, the source said.

“Cognizant acquired a multitude of different companies,” the source said. “Typically, they want to integrate the system so that Cognizant or the parent company always has visibility as far as what is going on in there with the persons they have on site … That system has been completely cut off with the ransomware.”

The Teaneck, N.J. based solution provider – a $16 billion a year revenue behemoth, No. 6 on the 2019 CRN Solution Provider 500 – has been reeling from an attack to itself and its customer from the Maze ransomware virus. Maze poses a greater threat than traditional ransomware by not only locking users out of their network, but stealing the data on the network and threating to publish it online, if a ransom isn’t paid.

After the success of Maze, copy cats have pounced on the idea. The criminal groups who use Sodinokobi, and the ones that use Ragnar Locker have each managed to successfully deploy their own versions, Kyle Hanslovan, CEO of Huntress Labs told CRN.

“They say ‘I don’t care that you have a back up for your data, because this isn’t a play about getting your data back. This is about whether I go public and smear your company. I’m not holding your data for ransom. I’m holding your reputation for ransom.’ That’s a key difference,” Hanslovan said.

The sorts of victim data that has been released to hacker forums includes full P&L statements, margins, gross profit calculators, salaries and bonuses for executives, as well as potential M&A targets.

“I don’t think the Maze team is innovative just for the idea that they one upped the game,” Hanslovan said. “They set the tone for all these other actors to follow. They’re a thought leader in the most negative sense.”

Hanslovan – who has years of experience securing Department of Defense networks, and now works with companies to prevent and recover from ransomware attacks – said Cognizant is likely worried about their customers who have been impacted, as well as their own system. He said the critical piece of information – how the attackers got access – will likely take time to determine.

“I bet they still might not know how they got in. Not because they’re bad at their job, most of the time these hackers will destroy their logs,” Hanslovan said. “You can imagine everyone is a lot happier when they know. Sometimes, we’ve had incidents, where MSPs discover other security vulnerabilities that likely weren’t exploited. We often see MSPs come out better than ever. In this incident, the Cognizant team is probably triaging like we would do combat triage. I respond to the people who are most likely to get back up and running first, or the most likely to get back into the fight.”

In terms of what that looks like, Hanslovan said the security response likely started by mapping the outbreak to see where it had spread.

“The hardest part of those incidents is in the first hour can you tell which customers are infected? And in the first 24 hours can you identify which computers are infected? I can think of (only) one (company) in the last four years where that was the case and they were able to do that. I think that’s probably what would happen in the first 24 hours.”

He said in the next phase, the team will probably break into two groups.

“Part of the incident response team is preserving logs and forensics, trying to figure out how they got in, meanwhile the other half of the team is solely focused on recovery,” he said. “The forensics people, the people who are going through all those logs, they’re just trying to figure out first and foremost, are the hackers still in the network? How do we get them out of the network? How bad is the battle damage assessment?”

From there the process moves to customer recovery, with the company likely helping its customers recover their systems, while also providing indicators of compromise to other customers, as well as to federal authorities to help prevent future outbreaks.

“Let us give you as much information as possible to show that this is not our fault so we can help you process your claim efficiently. That’s part of the transparency where a company wants to help their customers,” Hanslovan said. “They probably know what customers are affected. They probably know which computers are affected. They’re probably doing a Venn diagram right now: what are the customers that are most critical, both to our revenue and to our ability to get them up quick? What are the revenue impacts going to be? Who is most likely to litigate? If you think about that overlap, that’s probably who you triage first.”