The cyber criminal group behind the increasingly dangerous Maze ransomware strain claims it has successfully encrypted systems at mailing and shipping services firm Pitney Bowes, less than a year after it was hit by a similar attack.
The group behind Maze, which specialises in double extortion, a type of attack that increases pressure on its victims to pay by threatening to release important data in addition to encrypting systems, confirmed the attack on Pitney Bowes in a release posted to its website.
A Pitney Bowes spokesperson said: “Recently, we detected a security incident related to Maze ransomware. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited.
“Working with our third-party security consultants, we immediately took critical steps to thwart the attack before data could be encrypted. At this point, there is no evidence of further unauthorised access to our IT systems. The investigation remains ongoing.”
Screenshots posted by Maze suggest that the group has stolen data on a range of Pitney Bowes customers, including major insurance companies and retailers, as well as information and data relating to the company’s internal processes, such as management and training policies.
The October 2019 attack on Pitney Bowes encrypted information on systems and locked customers out of its SendPro products, postage refill, and account access, but the company said no customer or employee data was compromised.
The previous attack is understood to have involved Ryuk ransomware, which is suspected to be operated by groups out of Russia, and it is not known whether Pitney Bowes paid the ransom on that occasion.
But according to threat researchers, there is a possibility that the two attacks, although relying on different forms of ransomware, may be linked in some way, although this is by no means proven.
According to a research announcement from Microsoft’s threat intel team, many ransomware attackers have “deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after a ransom is paid or systems are rebuilt”.
This may be a further clue that cyber criminals may have gained access to privileged credentials at Pitney Bowes and have either sold them on to a group using Maze or reused them after gaining access to Maze themselves. According to FireEye Mandiant threat researchers, Maze appears to operate an affiliate model, partnering with other threat actors and then taking a cut of the commission if a ransom is paid.
Microsoft said Maze is most usually delivered via email, but some of its operators have deployed it to victim networks using RDP (remote desktop protocol) brute force attacks, often using unchanged local administrator passwords. Having done this, they then steal credentials and move laterally through the network to exfiltrate data.
Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords, said the firm’s researchers.
“After gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec and a plethora of other tools to deploy various payloads and access data,” wrote Microsoft’s researchers.
“They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.”