IT staffing solutions and services provider Collabera recently suffered a ransomware attack that involved hackers infiltrating ransomware into its networks and stealing the personal information of some of its employees.
Collabera is a leading technology and talent solutions provider, employing over 16,000 professionals across 10 countries and offering its services to 70% of the Fortune 500 companies across banking, financial services, technology, communication services, and healthcare industries.
The ransomware attack targeting Collabera and the breach of personal records were revealed by The Register that got its hands on an internal memo distributed by Collabera to its employees. The memo revealed that the company discovered the presence of malware in its systems on 8th June and found on the 10th that hackers had exfiltrated some data from its computers.
“On June 8, 2020, Collabera identified malware in its network system consistent with a ransomware attack. We promptly restored access to our backup files and immediately launched an investigation to determine the nature and scope of the event.
“On June 10, we became aware that the unauthorized party obtained some data from our system. We are working with outside experts and law enforcement to conduct a more detailed review of the incident,” read the memo drafted by HR senior director Mike Chirico.
According to The Register, information stolen by the ransomware operators included “workers’ names, addresses, contact and social security numbers, dates of birth, employment benefits, and passport and immigration visa details.” It is not known if Collabera has been served a ransom demand yet but it usually is the case with large corporations that are hacked.
Maze ransomware hackers boasted about hacking Collabera in June
On 10th June, cyber security firm Cyfirma revealed that the Maze ransomware group had released a long list of companies who had fallen victim to their cyber attacks. The list included Colabera, a Brazilian government website, Macedonian shipping company FERSPED Inc., US construction company United Enertech, and Brazilian energy company CPFL Energia.
“Maze ransomware operators have a history of first stealing the data before locking their target devices and demanding ransom. They capitalize on the reputational consequences of their target as their strategy is “steal, lock and inform.” Suspected threat actors appear to be Russian-based APT28 and TA2101/APT29,” the firm said.
“The threat actor group APT28 leverages TTPs like obfuscated files or information, PowerShell, exploitation of remote services for lateral movement, credential stealing through spear-phishing links and data-staged techniques. These similar TTPs were seen in the Cognizant hack due to Maze ransomware.
“On similar lines, the threat actor group TA2101 had leveraged Maze Ransomware targeting German, Italian and U.S. organizations with malicious emails carrying samples of Maze ransomware in November 2019. TA2101 has been actively using Maze ransomware for attacks.
“Maze tends to use known vulnerabilities like the Pulse VPN CVE-2019-11510 to break in and this means employees working from home must be mindful when accessing sensitive company information. To strengthen security controls, software and applications should contain the most updated patch. Avoid pirated and counterfeit software as they could be laced with malware,” it added.