I'm not a big fan of stories about stories or those who are researching the secrets of reporting a violation. Sometimes, however, I feel obliged to publish such accounts when companies react to the infringement report in such a way that it is clear that they will not know what to do with data breach if it falls into the nose, let alone the fact that in in some cases it will be affected by the dark angle of their operations.
And yet this week, I'm writing again a second story about a potentially serious security breach in an Indian company that provides IT support and outsourcing to the absurd number of large US corporations (alert spoiler: the other half of the story actually contains quite a bit of investigation about the infringement).
On Monday, KrebsOnSecurity broke the news that many sources report cybersecurity breaches Wipro, the third-largest provider of IT services in India and one of the main trusted IT outsourcing providers for US companies. History cited reports from many anonymous sources that claimed that trusted networks and Wipro systems are used to launch cyber attacks against company clients.
Wipro asked for several days examine the request and form a public comment. Three days after I reached out my hand, the quote I finally received from them did not confirm any concerns raised by my sources. The statement did not even confirm the security incident.
Six hours after my story began to say that Wipro is in the heat of response to the violation, the company was quoted in the Indian daily in which the phishing incident was confirmed. The company's statement claimed that its advanced systems detected an internal violation and identified the affected workers, and that it hired an external digital forensics company to investigate further.
Less than 24 hours after the start of my history, Wipro management was asked to quarterly call conference with investors to respond to my reports. Operational Director of Wipro Bhanu Ballapuram he told investors that many details in my story were wrong and I suggested that the violation was limited to a few employees who were swindled. The matter was characterized as settled, and other journalists talked about other topics.
At this point, I added a question to the queue during a conference call about earnings and I was given the opportunity to ask Wipro directors what part of my story was inaccurate. The Wipro manager proceeded to read the bits written statement about their response to the incident, and the company's operations director agreed to an individual connection with KrebsOnSecurity to resolve the complaints about my story. Security reporter Graham Cluley he was kind enough to record this part of the conversation and publish on Twitter.
In further conversation with Wipro, Ballapuram I had a problem with my characteristics that the infringement lasted "months", saying that only a few weeks had passed since the company's employees were effectively swindled by the attackers. Then I asked when the company believed that phishing attacks began, and Ballapuram said he could not confirm the approximate date of launching attacks after "weeks".
Ballapuram also claimed that his corporation was hit by a "zero-day" attack. Actual zero-day vulnerabilities cover the somewhat rare and rather dangerous weaknesses of software and / or hardware that even the manufacturer of the product does not understand before the attack is detected and used by intruders for private gain.
Because zero-day defects usually relate to software that is widely used, it's generally considered a good form if someone experiences such an attack to share information with the rest of the world about how the attack seems to work – in a similar way You can hope that a sick patient suffering from an unknown, highly contagious disease may still choose to help doctors diagnose the infection and spread of the infection.
Wipro has so far ignored specific questions about the alleged day zero, except that "based on our interim investigation, we have provided important information about the day zero with the help of our AV [antivirus] and they gave us the necessary signatures. "
My guess is that what Wipro means "zero-day" is a malicious email attachment that has not been detected by all commercial antivirus tools before it infects Wipro employees' systems with malware.
Ballapuram added that Wipro collected and disseminated among the affected customers a set of "compromise indicators", characteristic tips on tactics, tools and procedures used by bad people that can mean trial or successful interference.
A few hours after this connection to Ballapuram I heard from a large American company that works with Wipro (at least for now). The source said his employer decided to break all online access to Wipro employees within a few days of discovering that these Wipro accounts were used to direct the business of his company.
The source said the compromise rates that Wipro had made available to its customers came from a Wipro client who was targeted, but Wipro sent these indicators to customers as if they were something that the Wipro security team created by themselves.
Let's remind you, so far the public Wipro response:
– Ignore the reporter's questions for many days, then select points in his story during a conference call with a public investor.
– Question about the time of infringement, but refuse to provide an alternative schedule.
-Discover the seriousness of the incident and characterize it as supported, even if you have just hired a forensic company.
"Let's just say that the intruders used the" zero-day attack "and then refused to discuss the details of the day mentioned.
– Report IoC transactions that you share with clients you discovered when you were not.
WHAT HAVE THE ATTAKERS DONE?
Criminals responsible for the Wipro violation seem to be all that can quickly turn into cash. The source I spoke to in the large retail store and the Wipro client said that the fraudsters who broke into Wipro used their access to fraud in the form of gift cards in retail stores.
I suppose it is something of a silver line for Wipro, if not for its clients: an intruder who focused more on extracting intellectual property or other more strategic assets from Wipro's customers, probably could have remained undetected for a much longer period.
A source close to the investigation, which asked not to be identified because he was not authorized to speak in the media, said the company Wipro had hired to investigate this violation dated the first phishing attacks on March 11, when one employee became a phishing scammer.
The source said another phishing campaign between March 16 and 19 was earning 22 additional Wipro employees, and the incident vendor has so far discovered over 100 Wipro endpoints that have been vaccinated with ScreenConnect, the legal remote access tool sold by Connectwise.com. Researchers believe that intruders used ScreenConnect software in compromised Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access to the Wipro client network.
In addition, researchers found that at least one of the infected endpoints was attacked using the Mimikatz tool, an open source tool that can dump passwords stored in the temporary cache of a device running Microsoft Windows.
The source also reported that the seller is still discovering the newly attacked systems, suggesting that Wipro systems are still at risk, and additional hacked endpoints may still be undiscovered in Wipro.
Wipro has not yet responded to requests for comment.
I am sure that they are intelligent, well-off and capable people who care about safety and work at Wipro, but I'm not convinced that one of these people is employed as a leader in the company. Perhaps Wipro's actions following this incident reflect only the fact that India currently has no law requiring data holders or processors to notify individuals in the event of a violation.
Generally, I am willing to write this whole episode for a complete lack of training in the use of information media, but if I was a Wipro client, I would be more than a little concerned about the deafness of the company's response to date.
As one of the followers on Twitter He noted"Openness and transparency speak about honesty and willingness to learn from mistakes. The exact opposite face is something completely different. "
In the interest of openness, here are a few compromise indicators that Wipro customers are spreading about this incident (I had to get one from Wipro's partners because the company refused to directly share IoC with KrebsOnSecurity).
Tags: Bhanu Ballapuram, Wipro data violation
This entry was posted on Wednesday, 17 April 2019 at 13:56 and was submitted under the slogan A Little Sunshine, Data Breaches.
You can follow any comments to this post via RSS 2.0.
You can go to the end and leave a comment. Pinging is currently not allowed.