The Blind Leading the Blind. Cognizant Security.
Sextus Empiricus (160 - 210 AD) wrote in his Outlines of Skepticism: "Nor does the non-expert teach the non-expert - any more than the blind can lead the blind."
On April 18, 2020, Cognizant Technology revealed that it had been hit by Maze ransomware. We do not know, as of the date of this article, the extent of the damage, the amount of ransom demanded, or Cognizant’s ability to recover.
What we do know is that Maze extorts ransom payments by threatening to post on a publicly available website the data that they have exfiltrated if the victim does not pay. Maze’s modus operandi is to penetrate a network and then laterally move through it, thoroughly scout it out, exfiltrate data, and then run their ransomware attack. In this case, they were likely inside Cognizant for weeks or even months.
Cognizant is a public company (NASDAQ: CTSH), which based on its closing stock price on 17 April 2020, had a market capitalization of $29.522 billion, and revenues in 2019 of $16.8 billion. However, these numbers, while impressive, are not what are of primary interest. Instead, Cognizant bills itself as a cyber security leader through its Cognizant Security division.
I quote from the home page for Cognizant Security:
“Eliminate security blind spots and accelerate innovation, transformation and growth.
Outdated security solutions. Sophisticated cyberthreats. Increasing compliance requirements. Faced with these and other security challenges, today’s companies need a proactive partner who can anticipate and neutralize threats before they materialize.
At Cognizant, we approach security as the starting point for delivering the outcomes that leading global organizations demand. Our end-to-end security solutions combine deep domain and industry expertise with a future-focused approach that encompasses advisory, transformation and managed services. We offer the foresight and expertise to solve your most complex challenges.
By providing a 360-degree view of your organization’s security ecosystem, Cognizant can identify and eliminate today’s blind spots—while also seeing and solving for the threats ahead—so you can accelerate business innovation, transformation and growth.”
Link to the page:
https://www.cognizant.com/cognizant-digital-systems-technology/cybersecurity-services
We believe Cognizant Security is a perfect example of the blind leading the blind (its cyber security customers). While its web site claims that they hold great expertise, the Maze ransomware attack is but one example of their cyber security failure. We explore yet another below.
Cognizant Security also makes this claim in a comment section of their home page’s coding:
''As environments become more distributed, sophisticated threat actors are taking advantage. Cognizant Security offers the solutions you need to secure your IT infrastructure and your digital transformation. Our security experts can help you tackle the most complex challenges and improve your security posture.''
We decided to take a deeper look at Cognizant based on their claims above, and probe their publically facing Internet infrastructure. We expected to find it to be “Quantalytics Diamond-Hard?”. Instead, it is quite porous.
We looked at their DNSSec (DNS Security). DNSSec is used for preventing Man-In-The-Middle (MITM) attacks. These are especially worrisome given that their site has a login. A successful Man-In-The-Middle attack could therefore harvest login credentials.
The following is a partial map of the DNS Levels of Trust for cognizant.com. It shows the end of the DNS Levels of Trust chain.
The diagram shows on the right how the domain, cognizant.com, feeds NSEC3 into the DNS records. (The DNS delegation from com to cognizant.com.) This step is insecure.
DNS Delegation:
The following are the details, including the DNS A record, making the web site potentially vulnerable to a Man-In-The-Middle (MITM) attack. This is especially worrisome because the cognizant.com site has a login and a search function. So a Man-In-The-Middle attack, if successful, would mean that login credentials are being harvested.
DNS A record:
DNS NS record:
DNS SOA record:
Compounding the insecure status of the DNS SOA record, the DNS SOA record is misconfigured.
DNS MX record:
DNS SPF and WEBEX Domain Verification TXT Record:
All of these DNS records are insecure, and lead to the unsurprising conclusion that DNS for cognizant.com is completely insecure. This includes the MX and SPF TXT records, making e-mail, in addition to the website, potentially hackable.
However, there is a more serious potential hacking risk associated with the above DNSSec vulnerabilities. Cognizant doubtlessly uses VPN connections to help connect its people and offices, especially now. If Cognizant uses typical practices, the IP addresses for the VPN connections are not hard coded. Instead, they likely use URLs. Typically, these URLs would be subdomains of cognizant.com. This would be the most cost-effective approach.
This means that every subdomain URL used for VPN connections is potentially hackable via a Man-In-The-Middle (MITM) attack if their DNS is compromised, which, given the lack of DNSSec, is doable.
In our view at Quantalytics, Cognizant Security’s claim, per their home page, that “Our end-to-end security solutions combine deep domain and industry expertise …” and “As environments become more distributed, sophisticated threat actors are taking advantage. Cognizant Security offers the solutions you need to secure your IT infrastructure …” are both fraudulent and laughable. The Maze ransomware attack confirms our conclusion.
This entire report is based on the publicly facing Web infrastructure for cognizant.com and its underlying host site. No laws were broken in examining the public-facing Web and Internet settings for cognizant.com and its Cognizant Security host site. Anyone with sufficient skills, and using publicly available tools, can replicate these findings.
At Quantalytics, we have a saying we recommend for, among others, Cognizant Security: Trust nothing. Verify everything. We lead by example. And this is how we create “Quantalytics Diamond-Hard?” network security for our clients, and for our line of network security appliances.
Arthur Carp | Quantalytics, Inc. | [email protected] | @quantalytics