Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/1/2019
06:00 PM
50%
50%

Attackers Used Red-Team, Pen-Testing Tools to Hack Wipro

Breach of India-based outsourcing giant involved a remote access tool and a post-exploitation tool, according to an analysis by Flashpoint.

The breach of outsourcing firm Wipro is a cybercriminal operation using tools common to red teams and penetration testers and has likely been active as far back as 2015, according to an analysis published by threat-intelligence firm Flashpoint.

The group behind the breach has links to a phishing campaign that focuses on gathering credentials to gain access to corporate sites for administering gift card and reward programs, two researchers with threat-intelligence firm Flashpoint stated in the analysis. The attackers used ScreenConnect, a remote access tool (RAT) often used by penetration testers in support engagements, and Powerkatz, a post-exploitation tool often used by red teams, says Jason Reaves, a principal threat researcher at Flashpoint.

"The tools used to breach companies are common to pen-testing and red teams," he says. "The actors perform recon like traditional red teams and cloak themselves within that environment. They have a preference for the ScreenConnect utility but also utilize RDP, which is common in most corporate environments."

The breach of India-based Wipro, an outsourcing and consulting giant, has highlighted the danger that insecure third-party firms hold for their clients. As first reported by cybersecurity journalist Brian Krebs on April 15, the company's compromised systems have apparently been used as a jumping-off point to attempt to infiltrate the networks of at least 11 Wipro clients.

Flashpoint, however, found that telltale technical signs — known as indicators of compromise (IOCs) — link the attackers to at least 48 targets between 2015 and 2019. The company's research shows that at least half a dozen of the domains connected to the Wipro attack were phishing attacks linked to past campaigns.

"We assess with high confidence that the threat actors are linked to the 2017 phishing campaign," says Joshua Platt, also a principal threat researcher with Flashpoint. "Overlapping infrastructure was configured to utilize the resources of multiple servers in multiple campaigns."

Multiple sources told KrebsOnSecurity about the breach of Wipro systems. Krebs published IOCs consisting of domain names and malicious files used in the breach.

On April 17, Wipro acknowledged the breach in a statement to Economic Times

"We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign," the statement read. "Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact."

Flashpoint found that the attackers also used a tool known as Imminent Monitor, a remote administration tool, and linked the attack to other campaigns using PowerShell scripts, a common tactic of attackers to try to operate on compromised systems without attracting notice. 

The incident is the latest example of how a third-party firm can provide attackers with a side door past a target's defenses. Only six in 10 companies actually vet their third-party providers' security, leading to 59% of companies experiencing a data breach due to those suppliers, according to the Ponemon Institute

Security professionals have criticized Wipro for its slow response. Clients and the public will likely not receive answers about the extent of the breach any time soon, said Tim Erlin, vice president of product management and strategy at Tripwire, in a statement on the breach.

"We don't have all the information about this incident, and we're not likely to get it anytime soon," he said. "Cybersecurity professionals understand how long a forensic investigation can take, and how new information can be uncovered after the initial disclosure, but that reality isn't always clear to the public."

Flashpoint is offering the IoC on its site in CSV or MISP formats.

Meantime, a Wipro spokesperson confirmed that the company is investigating the attack and has taken steps to ratchet up its security. "Wipro can confirm that it was among the targets of a coordinated and advanced phishing campaign reportedly directed against several companies. As soon as we became aware of the campaign, we began an investigation, identified potentially affected users, promptly informed the customers with whom these employees were engaged and began taking remedial steps to contain and mitigate any potential impact," the spokesperson said.

"We have applied additional security measures to further strengthen our systems, and continue to monitor our enterprise infrastructure at a heightened level of alertness. We have engaged an independent forensic firm to assist us in the investigation, while our partners in the security domain who have an understanding of our operations are supporting us in the remediation efforts," the spokesperson said.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Olivia Sanches
50%
50%
Olivia Sanches,
User Rank: Apprentice
5/28/2019 | 10:25:23 AM
Solutions ?
How can we protect ourselves effectively?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...