Xchanging, a managed services provider (MSP) specialising in the insurance and financial services industry, is recovering its systems after a ransomware attack by an as-yet unknown actor. The firm, owned by US-based services provider DXC, alerted authorities to the incident on the evening of Sunday 5 July 2020.
It said certain customer-facing systems at Xchanging had been compromised in the attack, and it had implemented a series of containment and remediation measures to resolve the incident.
“The company is confident that this incident is isolated to the Xchanging environment,” DXC said in a statement. “In addition, DXC does not have any indication at this time that data has been compromised or lost.
“DXC is actively working with affected customers to restore access to their operating environment as quickly as possible. DXC is also engaging with law enforcement and appropriate cyber agencies.”
A DXC spokesperson confirmed to Computer Weekly that the problem was limited to a subset of the Xchanging business, and there had been no impact on DXC systems. They added that the company had now restored services to nearly all impacted customers, and was now shifting from response to forensic evaluation mode.
Besides services for insurers such as claims management, underwriting and administration, Xchanging offers business process services in areas such as customer admin, finance and procurement, and technology services including application management, infrastructure management, specialist software and data integration.
Service providers and supply chain partners of all stripes – not just tech businesses – are particularly at risk from cyber criminal activity because they frequently have some degree of privileged access to their customers’ IT systems, which means threat actors can easily move laterally and compromise an array of targets – as aerospace kingpin Airbus found out to its cost in 2019.
Earlier this year, a report compiled by BlackBerry Cylance said that businesses were particularly vulnerable to being targeted by criminals looking to deploy ransomware. In many cases, initial compromise occurs via targeted phishing attacks aimed at MSP employees responsible for managing customer systems.
It is important to note, however, that at this stage of the Xchanging incident, there is no indication that cyber criminals have compromised any of its customers.
Chad Anderson, senior security researcher at DomainTools, said: “The best way for DXC Technology to move forward is to isolate the source of the attack, focus on putting better monitoring and security in place, and then deal with the ransomware problem. If you are going to have to rebuild your network and machines anyway, this is a great chance for teams to implement good network segregation, DNS-based filtering, and proper antivirus if they don’t have it already.
“Again, assuming DXC will choose not to pay to disincentivise future attacks, they would need to start fresh. With how interconnected everything is with cloud services today, organisations would be surprised with how much can be recovered from other sources, but you will definitely be at a disadvantage.
“Off-site backups are key here. Whether it is to an S3 bucket on AWS that does versioning, a file server in a colocation centre, or recorded to tapes and stored in a closet in another building, you have to have versioned, off-site backups. These should go in one direction only or be designed with least privilege in mind.”
Anderson added: “Finally, and here DXC Technology did the right thing, it is important to notify ransomware attacks as data breaches, as more often than not, the data stolen ends up on the dark web somewhere, ready to be purchased and used in subsequent attacks.”
At the time of writing, no ransomware operator had yet claimed responsibility for the attack.