Fraud Management & Cybercrime , Fraud Risk Management , Incident & Breach Response
Canon USA Websites Offline Following Cyber IncidentOutage Happened After Data Disappeared From Company's Cloud Platform
Several Canon USA corporate websites remained offline Friday after the company reportedly sustained a ransomware attack.
The website outage began Wednesday, two days after the imaging company issued a statement reporting that user data was missing from a cloud storage database.
Brett Callow, a threat analyst with the security firm Emsisoft, says the ransomware group Maze has claimed responsibility for the security incident. So far, however, Maze has not posted to its website any exfiltrated data or updates on the attack, he adds.
Bleeping Computer reports Maze's operators confirmed the group was responsible for the attack. It posted a screenshot of the alleged ransom note. Callow says that ransom note, which does not specify an amount demanded, appears to be from Maze.
Canon USA tells ISMG that the company is investigating its latest website issues, but it declined further comment.
Missing Canon Images
The company announced Monday that some users' still image and video image data stored in its image.canon cloud photo platform was missing.
Although there’s no evidence connecting the website outages with the missing data, exfiltration of data is common Maze tactic, security experts note.
"On July 30, 2020, we identified an issue involving the 10GB long-term storage on image.canon. In order to conduct further investigation, we temporarily suspended both the mobile application and web browser service of image.canon," Canon reports.
The company says partial service was resumed on Tuesday, but the image.canon homepage on Thursday showed a message saying the connection is not fully secure.
After initially gaining a foothold in an infected network, the operators behind the Maze ransomware typically move through the infrastructure to gain access to a regular user account before moving up to a privileged account, says Matt Walmsley, a director at security firm Vectra. This method enables them to deploy their tools and access the data needed to finalize their ransomware attack and extortion plan, he says.
"Maze Group ransomware operators use 'name and shame' tactics whereby victims' data is exfiltrated prior to encryption and used to leverage ransomware payments,” Walmsley says. “The bullying tactics used by such ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate. These attackers will attempt to exploit, coerce and capitalize on organizations' valuable digital assets."
The Maze group has been especially active since April, targeting organizations that include IT services and consulting firm Cognizant, Banco BCR - the state-owned Bank of Costa Rica - and semiconductor manufacturer MaxLinear.
Cognizant confirmed in May that it was hit with ransomware and estimated recovery costs would be at least $50 million.
In late May, Maze started releasing payment card data from an earlier attack on Banco BCR. The gang claimed it was in possession of some 4 million unique payment card numbers (see: Ransomware Gang Posting Financial Details From Bank Attack).
MaxLinear confirmed in June it was hit by the Maze ransomware gang in April and some "proprietary information" was exfiltrated and personally identifiable information exposed (see: Maze Ransomware Gang Strikes Chipmaker MaxLinear).