Cognizant, one of the world’s largest IT services companies, was hit by Maze ransomware — a variant that steals files before encrypting to maximize ransom pressure; COVID-19 scams generated $17.5 million in fraud losses in just four months; Pulse Secure VPN had a CVSS 10/10 remote code execution flaw with 14,500 vulnerable servers still exposed months later; and researchers found over 760 malicious RubyGems packages using typosquatting to steal Bitcoin from developers’ clipboards.
Stories Covered
Cognizant Hit by Maze Ransomware: Exfiltration Before Encryption, File-Stealing Pressure Tactic
Cognizant — a multinational IT services corporation — disclosed it was hit by Maze ransomware. What distinguishes Maze from other ransomware families is its pre-encryption exfiltration step: Maze operators steal victim data before encrypting it, then threaten to publish the stolen files publicly if the ransom is not paid. This creates a second layer of leverage beyond the encryption itself — a victim with offline backups who could otherwise recover without paying still faces the exposure threat on stolen data. Bleeping Computer published indicators of compromise associated with the attack including IP addresses and file hashes for keepstl32.dll, meme.tmp, and maze.dll. An InfoSec researcher released a YARA rule to identify the malware: YARA is a classification tool that lets security researchers define patterns to detect and categorize malware families. The Maze double-extortion model — encrypt and threaten to leak — has since become the standard ransomware operating model across most major ransomware groups. Defenses specific to ransomware: maintain offline backups that are not connected to the main network so an infection cannot reach and encrypt them, patch aggressively to reduce initial access vectors, lock down Remote Desktop Protocol access and require VPN with MFA for any remote administrative access.
COVID-19 Scams: $17.5 Million in Fraud Losses, Fake Government Sites, and Malicious Word Documents
The FTC received 22,853 COVID-19-related fraud complaints between January and April 2020, with total reported losses of $17.53 million and a median loss of $533 per victim. The scam landscape during this period included multiple distinct attack vectors. Researchers at Inky found phishing emails leading to a pixel-perfect fake clone of the White House’s official COVID-19 information website, where a download button prompted victims to download a malicious Microsoft Word document that, when opened with macros enabled, downloaded and executed malware. A separate Bitdefender-identified campaign sent emails with attachments disguised as image files that were actually malicious executables mounting as a DVD drive. A Facebook-distributed scam impersonating a fictional “U.S. Emergency Grants Foundation” targeted older users, directing them to a fake government grants website that harvested Social Security numbers and personal information for identity fraud. Fake flight cancellation refund emails collected phone numbers, email addresses, and payment card information from frequent travelers. A malvertising campaign registered covid19onlineinfo.com and multiple similar domains to host an exploit kit targeting older Internet Explorer versions, attempting to install Kpot v2, a credential stealer targeting passwords and personal information. The unifying pattern across all of these is the exploitation of fear and urgency during a period when normal verification instincts were overridden by the anxiety of the pandemic.
Pulse Secure VPN: CVSS 10 RCE Flaw, 14,500 Exposed Servers, and Credentials That Outlast Patches
In 2019, ten major vulnerabilities were disclosed in Pulse Secure VPN, including one rated CVSS 10.0 — the maximum severity score — for a remote unauthenticated code execution flaw. The NSA identified approximately 14,500 servers still vulnerable to these flaws as of August 2019 and issued alerts. By January 2020, attackers were still actively exploiting the vulnerabilities to distribute ransomware. CISA issued a warning that patching the vulnerability alone was not sufficient for organizations that had been compromised: attackers who obtained valid credentials during the exploitation window were using those credentials to maintain persistent access even after the underlying software flaw was patched. Attackers routed their connections through Tor and virtual private servers to obscure origin, and maintained footholds through scheduled tasks, remote access trojans, and legitimate remote management tools like TeamViewer. CISA released a tool to help administrators detect whether their systems had been compromised before being patched. The core lesson: when a critical authentication-adjacent vulnerability is patched, the remediation must include credential rotation across all accounts that could have been exposed — patching the code path does not invalidate attacker credentials that were already harvested.
760 Malicious RubyGems: Typosquatting and Bitcoin Clipboard Theft Across Package Ecosystems
ReversingLabs researchers identified close to 760 malicious libraries in the RubyGems package registry, all using typosquatting — registering package names that closely resemble legitimate library names, with minor variations like replacing the letter “i” with the number “1” — to trick developers into installing them instead of the intended dependency. The malicious packages targeted cryptocurrency: once installed on a developer’s machine, a malicious executable extracted a VBScript that created an autorun registry key for persistence and monitored the Windows clipboard for cryptocurrency wallet addresses, replacing any detected address with the attacker’s wallet. Any cryptocurrency transaction initiated by a victim who had unknowingly installed one of these packages would have its destination wallet silently swapped, sending funds to the attacker. Researchers noted consistent signatures across the malicious libraries suggesting a single threat actor or coordinated group behind the campaign. Similar malicious packages using the same techniques had previously been identified in the NPM and PyPI ecosystems. The attack surface is structural: every package registry that allows any user to publish packages without review has this exposure. For developers: audit your dependency list, verify package names match exactly against the intended library, check publish dates and download counts against expected values, and prefer packages where you can inspect source code or that have established maintenance history.
Leave a Reply