Maze Gang Claims Insurer Is a Victim, Emsisoft Reports
Switzerland-based global insurance firm Chubb acknowledges that it’s investigating a “security incident.” Meanwhile, the Maze ransomware gang is claiming Chubb is its latest victim, according to researchers at security firm Emsisoft.
A Chubb spokesperson says in a statement provided to Information Security Media Group that the company is investigating a “security incident that may involve unauthorized access to data held by a third-party service provider,” adding that law enforcement is investigating the incident.
“We have no evidence that the incident affected Chubb’s network. Our network remains fully operational and we continue to service all policyholder needs, including claims,” the spokesperson says.
Since 2015, Chubb, which sells cyber insurance and a wide variety of other coverage, has been owned by ACE American Insurance.
In a screenshot of the Maze site that Emsisoft shared with Information Security Media Group, Chubb is listed among the organizations that have been hit by the gang’s ransomware.
The Maze site lists three Chubb email addresses, including one for the CEO, and says that “proofs” would be coming soon, according to the screen shot shared by Brett Callow, a threat analyst with Emsisoft.
Last year, Maze was one of the first ransomware gangs to begin leaking victims’ data after organizations refused to pay a ransom or if the two sides could not agree on a price. Other cybercriminal groups, including DoppelPaymer, Nemty, Snatch and the operators of Sodinokibito, are following similar methods to force targets to pay up (see: More Ransomware Gangs Join Data-Leaking Cult).
Callow says Maze and other ransomware gangs typically tease out data that they’ve stolen to put pressure on the targeted organization to pay. Releasing too much data too soon might make a company rethink paying because the data has already been exposed, he points out.
“I assume they don’t publish until they believe that naming alone isn’t going to be sufficient to elicit payment,” Callow tell ISMG. “The more data they publish, the less incentive the victim has to pay to prevent the rest of it being published.”
Chubb appears to have been using Citrix NetScaler servers that had not been patched against a vulnerability dubbed CVE-2019-19781, according to security research firm Bad Packets, which had been conducting scans of vulnerable infrastructure on Thursday.
Our initial CVE-2019-19781 scans found five vulnerable Chubb Citrix (NetScaler) servers:
22.214.171.124 (no forward DNS)
126.96.36.199 (no forward DNS) https://t.co/LFwjWBMoG8
— Bad Packets Report (@bad_packets) March 26, 2020
Security firm Positive Technologies first reported this vulnerability in December 2019, and Citrix has released a patch to address the flaw (see: Citrix Releases First Patches to Fix Severe Vulnerability).
“Companies must strive to pay attention to their security and ensure that remote access solutions are patched, [remote desktop protocol] is disabled when not needed or protected with strong passwords when it is, and multifactor authentication is used for remote access to applications and admin accounts,” Callow says.
Managing Editor Scott Ferguson contributed to this report.