View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

IT Services Giant Conduent Suffers Ransomware Attack, Data Breach

Customer data leaked to Dark Web

By CBR Staff Writer

Conduent, a $4.4 billion by revenue (2019) IT services giant, has admitted that a ransomware attack hit its European operations — but says it managed to restore most systems within eight hours.

Conduent, which says it provides services (including HR and payments infrastructure) for “a majority of Fortune 100 companies and over 500 governments”, was hit on Friday, May 29.

“Conduent’s European operations experienced a service interruption on Friday, May 29, 2020. Our system identified ransomware, which was then addressed by our cybersecurity protocols.

“This interruption began at 12.45 AM CET on May 29th with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored,” said spokesman Sean Collins.

He added: “This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have on-going internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure.”

Conduent Ransomware Attack: Maze Posts Stolen Data

The company did not name the ransomware type or intrusion vector, but the Maze ransomware group has posted stolen Conduent data including apparent customer audits to its Dark Web page.

Security researchers at Bad Packets say Conduent, which employs 67,000 globally, was running unpatched Citrix VPNs for “at least” eight weeks. (An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been widely exploited in the wild by ransomware gangs.)

Content from our partners
The growing cybersecurity threats facing retailers
How to integrate security into IT operations
How Kodak evolved to tackle seismic changes in the print industry and embrace digital revolution

In early January Bad Packets found nearly 10,000 vulnerable hosts running the unpatched VPN were identified in the US and over 2,000 in the UK. Citrix pushed out firmware updates on January 24.

  • Military, federal, state, and city government agencies
  • Public universities and schools
  • Hospitals and healthcare providers
  • Electric utilities and cooperatives
  • Major financial and banking institutions
  • Numerous Fortune 500 companies

 

The malware used by Maze is a binary file of 32 bits, usually packed as an EXE or a DLL file, according to a March 2020 McAfee analysis, which noted that the Maze ransomware can also terminate debugging tools used to analyse its behaviour, including the IDA debugger, x32dbg, OllyDbg and more processes, “to avoid dynamic analysis… and security tools”.

Cyber criminals have largely moved away from “spray and pray”-style attacks on organisations to more targeted intrusions, exploiting weak credentials, unpatched software, or using phishing. They typically sit in a network gathering data to steal and use to blackmail their victims before actually triggering the malware that locks down end-points.

The attack follows hot on the heels of another successful Maze breach of fellow IT services firm Cognizant in April.

Law enforcement and security professionals continue to urge companies to improve basic cyber hygiene, from introducing multi-factor authentication (MFA), to ensuring regular system patching.

Read this: The Top 10 Most Exploited Vulnerabilities: Intel Agencies Urge “Concerted” Patching Campaign

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU