Mailing Equipment Manufacturer Suffered Another Attack Last October
(Photo: Straticom Planning via Flickr/CC)
After suffering a ransomware attack last October that left several systems inaccessible, mailing equipment manufacturer Pitney Bowes reports that it recently blocked another ransomware attack before any data was encrypted and says there’s “no evidence of further unauthorized access to our IT systems.”
See Also: Role of Deception in the ‘New Normal’
In the latest incident, the manufacturer says it was targeted by the operators behind the Maze ransomware variant. The company did say when the incident happened or if it has been contacted by cybercriminals concerning a ransom payment.
“Recently, we detected a security incident related to Maze ransomware. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited,” a Pitney Bowes spokesperson tells Information Security Media Group on Monday. “Working with our third-party security consultants, we immediately took critical steps to thwart the attack before data could be encrypted. At this point, there is no evidence of further unauthorized access to our IT systems.”
The incident is still under investigation by Pitney Bowes and law enforcement, a company spokesperson says.
Stamford, Connecticut-based Pitney Bowes offers a number of mailing and postage services as well as postal meters and shipping software. The company posted $3.2 billion in annual revenue last year, when it employed 11,000, according to financial documents.
In October, the company announced that a ransomware attack disrupted customers’ ability to access its postage supply web store as well as to automatically upload envelope-printing transactions (see: Pitney Bowes Says Ransomware Behind System Outages.)
At the time, Pitney Bowes noted that there was no evidence that customer or employee data had been improperly accessed.
Pitney Bowes did not say what strain of ransomware infected its network in October, although some news reports suggested it was Ryuk.
The Maze gang posted work and personal email addresses for three Pitney Bowes executives on it darknet site, showing that perhaps it was able to access at least some parts of the company’s network, according to a screenshot obtained by security firm Emsisoft and shared with ISMG.
ZDNet reported that Maze also posted screenshots of directory listings taken from Pitney Bowes’ corporate network.
Maze followed a similar strategy of posting executives’ email addresses when the gang targeted insurance giant Chubb in late March. The posting of these tidbits of data apparently is one way the operators of Maze attempt to put pressure on a targeted company to pay the ransom (see: Insurer Chubb Investigating ‘Security Incident’).
In late 2019, Maze became one of the first ransomware gangs to begin leaking victims’ data after organizations refused to pay a ransom or if the two sides could not agree on a price. Other cybercriminal groups, including DoppelPaymer, Nemty, Snatch and the operators of Sodinokibito, are following similar methods to force targets to pay up.
Did Maze Use a Backdoor?
Brett Callow, a threat analyst with Emsisoft, says that because Pitney Bowes was previously hit with ransomware, the original attackers may have left a backdoor in the network that Maze either found or gained access to with the help of a another cybercriminal gang.
“Ransomware groups frequently leave behind backdoors to maintain post-attack access to the networks they have compromised, and this is one of the reasons we recommend that companies completely rebuild their networks rather than simply decrypting their data,” Callow tells ISMG. “The backdoors are typically ‘owned’ by affiliates, and those affiliates may change allegiance or sell or trade them with other groups.”
Maze Activity This Year
On Friday, Palo Alto Networks’ Unit 42 published an analysis noting that security incidents involving Maze have increased since January.
The Unit 42 analysis finds that the Maze gang is are increasingly taking advantage of vulnerabilities in remote desktop protocol connections to create a foothold in the network and then move laterally through the infrastructure.
In April, Kaspersky published a report that found the number of brute-force attacks targeting RDP connections had spiked since the Covid-19 pandemic forced employees all over the world to work at home.