Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/1/2019
06:00 PM
50%
50%

Attackers Used Red-Team, Pen-Testing Tools to Hack Wipro

Breach of India-based outsourcing giant involved a remote access tool and a post-exploitation tool, according to an analysis by Flashpoint.

The breach of outsourcing firm Wipro is a cybercriminal operation using tools common to red teams and penetration testers and has likely been active as far back as 2015, according to an analysis published by threat-intelligence firm Flashpoint.

The group behind the breach has links to a phishing campaign that focuses on gathering credentials to gain access to corporate sites for administering gift card and reward programs, two researchers with threat-intelligence firm Flashpoint stated in the analysis. The attackers used ScreenConnect, a remote access tool (RAT) often used by penetration testers in support engagements, and Powerkatz, a post-exploitation tool often used by red teams, says Jason Reaves, a principal threat researcher at Flashpoint.

"The tools used to breach companies are common to pen-testing and red teams," he says. "The actors perform recon like traditional red teams and cloak themselves within that environment. They have a preference for the ScreenConnect utility but also utilize RDP, which is common in most corporate environments."

The breach of India-based Wipro, an outsourcing and consulting giant, has highlighted the danger that insecure third-party firms hold for their clients. As first reported by cybersecurity journalist Brian Krebs on April 15, the company's compromised systems have apparently been used as a jumping-off point to attempt to infiltrate the networks of at least 11 Wipro clients.

Flashpoint, however, found that telltale technical signs — known as indicators of compromise (IOCs) — link the attackers to at least 48 targets between 2015 and 2019. The company's research shows that at least half a dozen of the domains connected to the Wipro attack were phishing attacks linked to past campaigns.

"We assess with high confidence that the threat actors are linked to the 2017 phishing campaign," says Joshua Platt, also a principal threat researcher with Flashpoint. "Overlapping infrastructure was configured to utilize the resources of multiple servers in multiple campaigns."

Multiple sources told KrebsOnSecurity about the breach of Wipro systems. Krebs published IOCs consisting of domain names and malicious files used in the breach.

On April 17, Wipro acknowledged the breach in a statement to Economic Times

"We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign," the statement read. "Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact."

Flashpoint found that the attackers also used a tool known as Imminent Monitor, a remote administration tool, and linked the attack to other campaigns using PowerShell scripts, a common tactic of attackers to try to operate on compromised systems without attracting notice. 

The incident is the latest example of how a third-party firm can provide attackers with a side door past a target's defenses. Only six in 10 companies actually vet their third-party providers' security, leading to 59% of companies experiencing a data breach due to those suppliers, according to the Ponemon Institute

Security professionals have criticized Wipro for its slow response. Clients and the public will likely not receive answers about the extent of the breach any time soon, said Tim Erlin, vice president of product management and strategy at Tripwire, in a statement on the breach.

"We don't have all the information about this incident, and we're not likely to get it anytime soon," he said. "Cybersecurity professionals understand how long a forensic investigation can take, and how new information can be uncovered after the initial disclosure, but that reality isn't always clear to the public."

Flashpoint is offering the IoC on its site in CSV or MISP formats.

Meantime, a Wipro spokesperson confirmed that the company is investigating the attack and has taken steps to ratchet up its security. "Wipro can confirm that it was among the targets of a coordinated and advanced phishing campaign reportedly directed against several companies. As soon as we became aware of the campaign, we began an investigation, identified potentially affected users, promptly informed the customers with whom these employees were engaged and began taking remedial steps to contain and mitigate any potential impact," the spokesperson said.

"We have applied additional security measures to further strengthen our systems, and continue to monitor our enterprise infrastructure at a heightened level of alertness. We have engaged an independent forensic firm to assist us in the investigation, while our partners in the security domain who have an understanding of our operations are supporting us in the remediation efforts," the spokesperson said.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Olivia Sanches
50%
50%
Olivia Sanches,
User Rank: Apprentice
5/28/2019 | 10:25:23 AM
Solutions ?
How can we protect ourselves effectively?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...