[BreachExchange] IT Services Giant Conduent Suffers Ransomware Attack, Data Breach

Destry Winant destry at riskbasedsecurity.com
Fri Jun 5 10:27:42 EDT 2020


 Customer data leaked to Dark Web

Conduent, a $4.4 billion by revenue (2019) IT services giant, has
admitted that a ransomware attack hit its European operations — but
says it managed to restore most systems within eight hours.

Conduent, which says it provides services (including HR and payments
infrastructure) for “a majority of Fortune 100 companies and over 500
governments”, was hit on Friday, May 29.

“Conduent’s European operations experienced a service interruption on
Friday, May 29, 2020. Our system identified ransomware, which was then
addressed by our cybersecurity protocols.

“This interruption began at 12.45 AM CET on May 29th with systems
mostly back in production again by 10.00 AM CET that morning, and all
systems have since then been restored,” said spokesman Sean Collins.

He added: “This resulted in a partial interruption to the services
that we provide to some clients. As our investigation continues, we
have on-going internal and external security forensics and anti-virus
teams reviewing and monitoring our European infrastructure.”

Conduent Ransomware Attack: Maze Posts Stolen Data

The company did not name the ransomware type or intrusion vector, but
the Maze ransomware group has posted stolen Conduent data including
apparent customer audits to its Dark Web page.

Security researchers at Bad Packets say Conduent, which employs 67,000
globally, was running unpatched Citrix VPNs for “at least” eight
weeks. (An arbitrary code execution vulnerability in Citrix VPN
appliances, known as CVE-2019-19781, has been widely exploited in the
wild by ransomware gangs.)

In early January Bad Packets found nearly 10,000 vulnerable hosts
running the unpatched VPN were identified in the US and over 2,000 in
the UK. Citrix pushed out firmware updates on January 24.

Military, federal, state, and city government agencies
Public universities and schools
Hospitals and healthcare providers
Electric utilities and cooperatives
Major financial and banking institutions
Numerous Fortune 500 companies

The malware used by Maze is a binary file of 32 bits, usually packed
as an EXE or a DLL file, according to a March 2020 McAfee analysis,
which noted that the Maze ransomware can also terminate debugging
tools used to analyse its behaviour, including the IDA debugger,
x32dbg, OllyDbg and more processes, “to avoid dynamic analysis… and
security tools”.

Cyber criminals have largely moved away from “spray and pray”-style
attacks on organisations to more targeted intrusions, exploiting weak
credentials, unpatched software, or using phishing. They typically sit
in a network gathering data to steal and use to blackmail their
victims before actually triggering the malware that locks down

The attack follows hot on the heels of another successful Maze breach
of fellow IT services firm Cognizant in April.

Law enforcement and security professionals continue to urge companies
to improve basic cyber hygiene, from introducing multi-factor
authentication (MFA), to ensuring regular system patching.

More information about the BreachExchange mailing list