[BreachExchange] Canon hit by Maze Ransomware attack, 10TB data allegedly stolen

[Destry Winant]

https://www.bleepingcomputer.com/news/security/canon-hit-by-maze-ransomware-attack-10tb-data-allegedly-stolen/

Canon has suffered a ransomware attack that impacts numerous services,
including Canon's email, Microsoft Teams, USA website, and other
internal applications.

BleepingComputer has been tracking a suspicious outage on Canon's
image.canon cloud photo and video storage service resulting in the
loss of data for users of their free 10GB storage feature.

The image.canon site suffered an outage on July 30th, 2020, and over
six days, the site would show status updates until it went back in
service yesterday, August 4th.

However, the final status update was strange as it mentions that while
data was lost, "there was no leak of image data."  This led
BleepingComputer to believe there was more to the story and that they
suffered a cyberattack.

Image.canon outage notice
Source: BleepingComputer

When we contacted Canon about this outage, they referred us to the
notice on the image.canon site.

If you work at Canon or know someone working there with first-hand
information on this incident, you can confidentially contact us on
Signal at +16469613731.

Canon suffers ransomware attack

Today, a source contacted BleepingComputer and shared an image of a
company-wide notification titled "Message from IT Service Center" that
was sent at approximately 6 AM this morning from Canon's IT
department.

This notification states that Canon is experiencing "wide spread
system issues affecting multiple applications, Teams, Email, and other
systems may not be available at this time."

Notice from Canon's IT department
Source: BleepingComputer

As part of this outage, Canon USA's website is now displaying errors
or page not found errors when visited.

Canon USA website is down
Source: BleepingComputer

The list of Canon domains that appear to be affected by this outage, include:

www.canonusa.com
www.canonbroadcast.com
b2cweb.usa.canon.com
canondv.com
canobeam.com
canoneos.com
bjc8200.com
canonhdec.com
bjc8500.com
usa.canon.com
imagerunner.com
multispot.com
canoncamerashop.com
canoncctv.com
canonhelp.com
bjc-8500.com
canonbroadcast.com
imageland.net
consumer.usa.canon.com
bjc-8200.com
bjc3000.com
downloadlibrary.usa.canon.com
www.cusa.canon.com
www.canondv.com

Since then, BleepingComputer has obtained a partial screenshot of the
alleged Canon ransom note, which we have been able to identify as from
the Maze ransomware.

Partial Maze ransomware note
Source: BleepingComputer

Maze claims to have stolen 10TB of data from Canon

After contacting the ransomware operators, BleepingComputer was told
by Maze that their attack was conducted this morning when they stole
"10 terabytes of data, private databases etc" as part of the attack on
Canon.

Maze declined to share any further info about the attack including the
ransom amount, proof of stolen data, and the amount of devices
encrypted.

While we first thought that the image.canon outage was related to the
ransomware attack, Maze has told us that it was not caused by them.

Maze is an enterprise-targeting human-operated ransomware that
compromises and stealthily spreads laterally through a network until
it gains access to an administrator account and the system's Windows
domain controller.

During this process, Maze will steal unencrypted files from servers
and backups and upload them to the threat actor's servers.

Once they have harvested the network of anything of value and gain
access to a Windows domain controller, Maze will deploy the ransomware
throughout the network to encrypt all of the devices.

If a victim does not pay the ransom, Maze will publicly distribute the
victim's stolen files on a data leak site that they have created.

Maze has claimed responsibility for other high-profile victims in the
past, including LG, Xerox, Conduent, MaxLinear, Cognizant, Chubb, VT
San Antonio Aerospace, the City of Pensacola, Florida, and more.

In a statement to BleepingComputer, Canon says they are "currently
investigating the situation."

This is a developing story and will be updated as more information is available.

Update 8/5/20: Article updated to reflect that the image.canon outage
was not related to the Maze ransomware attack.