Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/1/2019
06:00 PM
50%
50%

Attackers Used Red-Team, Pen-Testing Tools to Hack Wipro

Breach of India-based outsourcing giant involved a remote access tool and a post-exploitation tool, according to an analysis by Flashpoint.

The breach of outsourcing firm Wipro is a cybercriminal operation using tools common to red teams and penetration testers and has likely been active as far back as 2015, according to an analysis published by threat-intelligence firm Flashpoint.

The group behind the breach has links to a phishing campaign that focuses on gathering credentials to gain access to corporate sites for administering gift card and reward programs, two researchers with threat-intelligence firm Flashpoint stated in the analysis. The attackers used ScreenConnect, a remote access tool (RAT) often used by penetration testers in support engagements, and Powerkatz, a post-exploitation tool often used by red teams, says Jason Reaves, a principal threat researcher at Flashpoint.

"The tools used to breach companies are common to pen-testing and red teams," he says. "The actors perform recon like traditional red teams and cloak themselves within that environment. They have a preference for the ScreenConnect utility but also utilize RDP, which is common in most corporate environments."

The breach of India-based Wipro, an outsourcing and consulting giant, has highlighted the danger that insecure third-party firms hold for their clients. As first reported by cybersecurity journalist Brian Krebs on April 15, the company's compromised systems have apparently been used as a jumping-off point to attempt to infiltrate the networks of at least 11 Wipro clients.

Flashpoint, however, found that telltale technical signs — known as indicators of compromise (IOCs) — link the attackers to at least 48 targets between 2015 and 2019. The company's research shows that at least half a dozen of the domains connected to the Wipro attack were phishing attacks linked to past campaigns.

"We assess with high confidence that the threat actors are linked to the 2017 phishing campaign," says Joshua Platt, also a principal threat researcher with Flashpoint. "Overlapping infrastructure was configured to utilize the resources of multiple servers in multiple campaigns."

Multiple sources told KrebsOnSecurity about the breach of Wipro systems. Krebs published IOCs consisting of domain names and malicious files used in the breach.

On April 17, Wipro acknowledged the breach in a statement to Economic Times

"We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign," the statement read. "Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact."

Flashpoint found that the attackers also used a tool known as Imminent Monitor, a remote administration tool, and linked the attack to other campaigns using PowerShell scripts, a common tactic of attackers to try to operate on compromised systems without attracting notice. 

The incident is the latest example of how a third-party firm can provide attackers with a side door past a target's defenses. Only six in 10 companies actually vet their third-party providers' security, leading to 59% of companies experiencing a data breach due to those suppliers, according to the Ponemon Institute

Security professionals have criticized Wipro for its slow response. Clients and the public will likely not receive answers about the extent of the breach any time soon, said Tim Erlin, vice president of product management and strategy at Tripwire, in a statement on the breach.

"We don't have all the information about this incident, and we're not likely to get it anytime soon," he said. "Cybersecurity professionals understand how long a forensic investigation can take, and how new information can be uncovered after the initial disclosure, but that reality isn't always clear to the public."

Flashpoint is offering the IoC on its site in CSV or MISP formats.

Meantime, a Wipro spokesperson confirmed that the company is investigating the attack and has taken steps to ratchet up its security. "Wipro can confirm that it was among the targets of a coordinated and advanced phishing campaign reportedly directed against several companies. As soon as we became aware of the campaign, we began an investigation, identified potentially affected users, promptly informed the customers with whom these employees were engaged and began taking remedial steps to contain and mitigate any potential impact," the spokesperson said.

"We have applied additional security measures to further strengthen our systems, and continue to monitor our enterprise infrastructure at a heightened level of alertness. We have engaged an independent forensic firm to assist us in the investigation, while our partners in the security domain who have an understanding of our operations are supporting us in the remediation efforts," the spokesperson said.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Olivia Sanches
50%
50%
Olivia Sanches,
User Rank: Apprentice
5/28/2019 | 10:25:23 AM
Solutions ?
How can we protect ourselves effectively?
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26649
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Incorrect Access Control via admin/dump.php
CVE-2020-26650
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php
CVE-2020-27533
PUBLISHED: 2020-10-22
A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.
CVE-2020-24033
PUBLISHED: 2020-10-22
An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escala...
CVE-2020-27560
PUBLISHED: 2020-10-22
ImageMagick 7.0.10-34 allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.