Fortune 500 company and IT services major Conduent has announced that it suffered a ransomware attack on 29th May that resulted in its systems going offline for over ten hours.
The ransomware attack temporarily disrupted Conduent's European operations but going by the company's statements, the attack may not have resulted in the loss of sensitive data as affected systems were respored within hours.
“Conduent’s European operations experienced a service interruption on Friday, May 29, 2020. Our system identified ransomware, which was then addressed by our cybersecurity protocols. This interruption began at 12.45 AM CET on May 29th with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored,” said a spokesman from Conduent.
“This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have on-going internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure.”
Hackers exploited a flaw in Citrix VPN apps to target Conduent
Computer Business Review said that security researchers at Bad Packets believe hackers exploited an arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, to target Conduent. The researchers said that Conduent was running unpatched Citrix VPNs for at least eght weeks even though Citrix had issued a patch for the flaw on 24th January.
According to Citrix, the CVE-2019-19781 vulnerability was found in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
The company said that the vulnerability also impacted certain deployments of Citrix SD-WAN, specifically Citrix SD-WAN WANOP edition, also strongly advised users of these products to upgrade all of their vulnerable appliances to a fixed build of the appliance at their earliest schedule.
Maze ransomware gang reveals it targeted Conduent's systems
According to security firms Bad Packers and Emsisoft, Conduent was targeted using the Maze ransomware, the one that was recently used to target Westech International, an Albuquerque-based defence contractor that undertakes various jobs under contract with the U.S. Department of Energy (DOE), and Department of Defense (DoD).
Using the ransomware, hackers reportedly gained control over the firm's computers, encrypted them, and leaked some documents online to force the firm into paying a ransom. The compromised data included some emails as well as payroll information.
According to Emsisoft, the Maze ransomware gang has published several files on a public website that are related to Conduent's operations in Germany. “These groups typically start by posting the older and less sensitive data served if they were to post the Crown Jewels so to speak, the company would have less incentive to pay for the remaining data being published,” said Emsisoft security analyst Brett Callow to CRN, indicating that the hackers may have demanded a ransom from Conduent.
Commenting on the ransomware attack targeting Conduent, Javvad Malik, Security Awareness Advocate at KnowBe4, told Teiss that ransomware is indiscriminate and can affect all organisations of all sizes and across all verticals. As disruptive as it is, the majority of successful ransomware infections occur as a result of either phishing, or taking advantage of unpatched public-facing software.
"Therefore, these are areas in the security strategy that organisations should pay the most attention to. As criminals are no longer content with just encrypting data, during ransomware they try to actively exfiltrate data and sell it on - it becomes increasingly important that organisations prevent ransomware, recovery alone is not enough," he added.