Conduent, a Fortune 500 company with a US$ 4 billion revenue last year, provides Human Resources and Payments Infrastructure for some, if not, the majority of the Fortune 100 companies and 500 government agencies all over the world. It is recognized as a tech giant, employing more than 70,000 employees worldwide. It is regarded as one of the most extensive Business Process Outsourcing and Information Technology Service Providers internationally.
With all the technological services they provide, they still got hit by a ransomware attack that crippled some of their processing operations in Europe. Which they, of course, managed to counteract and restore within 12 hours.
The security team of Conduent in their European offices detected a service disruption on the early morning of May 29th, a Friday. They immediately addressed the affected network services by getting their IT and security teams to fix it. But just after a few hours, another service disruption occurred that same day, midday. Their IT and security team were quick to respond and take action. With their robust cybersecurity protocols, they were able to restore the services in just a few hours. Further investigations from their security team revealed that the attack was from ransomware.
Conduent didn’t disclose the name or type of ransomware that infiltrated their networks.
However, just a few hours after the last intrusion took place, security researchers found several data and customer audits belonging to the tech giant on the Dark Web. Incidentally, the group responsible for the post is the Maze Ransomware Group.
A 32-bit Binary File disguised as an executable (.EXE) or the Ransomware Group used dynamic Link Library (.DLL) file according to analysis and investigation by several security firms. According to them, the package is quite sophisticated that it’s able to disable altogether any form of debugger tools (OllyDbg, IDA, x32dbg, etc.) designed to examine its components and behavior. Ransomware somehow evolved, concentrating on pinpoint intrusions, exploiting vulnerabilities, stalking the network, and performing phishing on the background before the actual malware package is triggered to encrypt the data to be locked.
According to security experts, the tech giant has been running unsecured Citrix VPNs (Virtual Private Networks) for more than 2-months. Widely known and referred to as CVE-2019-19781 by hackers and other ransomware groups, it is a systematic code execution vulnerability in Citrix VPN machines. In the United States and the United Kingdom alone, a total of 15,000 devices or hosts were identified to be unsecured. Moreover, the hosts or machines involved belong to each one of the sectors below:
- Federal, State, and City Government Firms
- Public Schools, Universities, and other Advanced Learning Institutions
- Essential Utility Provider (Water, Gas, Electricity)
- Small and Medium Businesses and Cooperatives
- Military and other Major Government Agencies
- Large Banking and other Financial Firms
- Fortune 500 Companies
Governments and law enforcement agencies continue their campaign to warn the people and provide necessary information on cybersecurity. Regular machine checks and network maintenance, coupled with system updates and patching, can help prevent attacks from hackers and other cyber threats.