Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/1/2019
06:00 PM
50%
50%

Attackers Used Red-Team, Pen-Testing Tools to Hack Wipro

Breach of India-based outsourcing giant involved a remote access tool and a post-exploitation tool, according to an analysis by Flashpoint.

The breach of outsourcing firm Wipro is a cybercriminal operation using tools common to red teams and penetration testers and has likely been active as far back as 2015, according to an analysis published by threat-intelligence firm Flashpoint.

The group behind the breach has links to a phishing campaign that focuses on gathering credentials to gain access to corporate sites for administering gift card and reward programs, two researchers with threat-intelligence firm Flashpoint stated in the analysis. The attackers used ScreenConnect, a remote access tool (RAT) often used by penetration testers in support engagements, and Powerkatz, a post-exploitation tool often used by red teams, says Jason Reaves, a principal threat researcher at Flashpoint.

"The tools used to breach companies are common to pen-testing and red teams," he says. "The actors perform recon like traditional red teams and cloak themselves within that environment. They have a preference for the ScreenConnect utility but also utilize RDP, which is common in most corporate environments."

The breach of India-based Wipro, an outsourcing and consulting giant, has highlighted the danger that insecure third-party firms hold for their clients. As first reported by cybersecurity journalist Brian Krebs on April 15, the company's compromised systems have apparently been used as a jumping-off point to attempt to infiltrate the networks of at least 11 Wipro clients.

Flashpoint, however, found that telltale technical signs — known as indicators of compromise (IOCs) — link the attackers to at least 48 targets between 2015 and 2019. The company's research shows that at least half a dozen of the domains connected to the Wipro attack were phishing attacks linked to past campaigns.

"We assess with high confidence that the threat actors are linked to the 2017 phishing campaign," says Joshua Platt, also a principal threat researcher with Flashpoint. "Overlapping infrastructure was configured to utilize the resources of multiple servers in multiple campaigns."

Multiple sources told KrebsOnSecurity about the breach of Wipro systems. Krebs published IOCs consisting of domain names and malicious files used in the breach.

On April 17, Wipro acknowledged the breach in a statement to Economic Times

"We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign," the statement read. "Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact."

Flashpoint found that the attackers also used a tool known as Imminent Monitor, a remote administration tool, and linked the attack to other campaigns using PowerShell scripts, a common tactic of attackers to try to operate on compromised systems without attracting notice. 

The incident is the latest example of how a third-party firm can provide attackers with a side door past a target's defenses. Only six in 10 companies actually vet their third-party providers' security, leading to 59% of companies experiencing a data breach due to those suppliers, according to the Ponemon Institute

Security professionals have criticized Wipro for its slow response. Clients and the public will likely not receive answers about the extent of the breach any time soon, said Tim Erlin, vice president of product management and strategy at Tripwire, in a statement on the breach.

"We don't have all the information about this incident, and we're not likely to get it anytime soon," he said. "Cybersecurity professionals understand how long a forensic investigation can take, and how new information can be uncovered after the initial disclosure, but that reality isn't always clear to the public."

Flashpoint is offering the IoC on its site in CSV or MISP formats.

Meantime, a Wipro spokesperson confirmed that the company is investigating the attack and has taken steps to ratchet up its security. "Wipro can confirm that it was among the targets of a coordinated and advanced phishing campaign reportedly directed against several companies. As soon as we became aware of the campaign, we began an investigation, identified potentially affected users, promptly informed the customers with whom these employees were engaged and began taking remedial steps to contain and mitigate any potential impact," the spokesperson said.

"We have applied additional security measures to further strengthen our systems, and continue to monitor our enterprise infrastructure at a heightened level of alertness. We have engaged an independent forensic firm to assist us in the investigation, while our partners in the security domain who have an understanding of our operations are supporting us in the remediation efforts," the spokesperson said.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Olivia Sanches
50%
50%
Olivia Sanches,
User Rank: Apprentice
5/28/2019 | 10:25:23 AM
Solutions ?
How can we protect ourselves effectively?
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.