Incident Of The Week: Inside The Phishy Wipro Breach

IT outsourcing giant was hit by a cyber security attack that has created a buzz around ‘what not to do’

Add bookmark

On April 15, investigative reporter Brian Krebs wrote about the breach of Indian IT outsourcing and consulting giant Wipro Ltd. According to KrebsOnSecurity.com, two trusted sources spoke anonymously to Krebs, saying that Wipro’s systems were seen being used “as jumping-off points for digital phishing expeditions targeting at least a dozen Wipro customer systems. The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.”

See Related: "Top 5 Cyber Security Breaches of 2019 So Far"

Details Of The Breach Confirm Phishing

Wipro first asked Krebs for time to investigate the incident before formulating a public comment, which resulted in a quote that did not acknowledge any of the concerns raised by the article, or the fact that there was even a security breach at all.

On April 17, Wipro was quoted in an Indian daily newspaper saying that it did in fact experience a phishing incident. Wipro confirmed its IT systems were hacked and said it hired a forensic firm to handle the situation, stating that it was ‘dealing with a multi-month intrusion from an assumed state-sponsored attacker’ and that Wipro’s systems were seen being used to attack at least a dozen of its clients.

See Related: “Google, Facebook Phished For Millions

“We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign. Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact,” Wipro Ltd said in a statement to ET.

“We are leveraging our industry-leading cyber security practices and collaborating with our partner ecosystem to collect and monitor advanced threat intelligence for enhancing security posture. We have also retained a well-respected, independent forensic firm to assist us in the investigation. We continue to monitor our enterprise and infrastructure at a heightened level of alertness,” the Wipro statement added.

Krebs also reported that Wipro was in the process of building a new private email network because the intruders were believed to have compromised its corporate email system.

Lack Of Acknowledgement Sparks Controversy

The handling of the incident (or lack thereof) has sparked some buzz among industry influencers, leaving Krebs compelled to later write a follow-up article on the incident, explaining that Wipro executives were asked on a quarterly investor conference call to respond to his reporting. Wipro COO Bhanu Ballapuram told investors that many of the details in Krebs’ report were in error, and implied that the breach was limited to a few employees who got phished.

Krebs decided to join the quarterly call and add a question on the incident to the queue to which Wipro gave him the opportunity to speak on the call. Security reporter Graham Cluley was able to record a bit of the call and post it on Twitter.

From the aforementioned series of events, Krebs offered a recap of Wipro’s public response so far in his follow-up article of, “How not to acknowledge a data breach:”

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

  • Ignore the reporter’s questions for days and then pick nits in his story during a public investor conference call.
  • Question the stated timing of the breach but refuse to provide an alternative timeline.
  • Downplay the severity of the incident and characterize it as handled, even when they have only just hired an outside forensics firm.
  • Say the intruders deployed a “zero-day attack,” and then refuse to discuss the details of said zero-day.
  • Claim the IoCs you are sharing with affected clients were discovered by you when they were not.

What The Attackers Have Done

A source reported to Krebs that the breach dated the first phishing attack to March 11, of a single employee. There was a subsequent phishing campaign between March 16 and 19, which included 22 additional Wipro employees. The vendor investigating the incident has discovered more than 100 Wipro endpoints that were seeded with a remote access tool called ScreenConnect. The software is believed to have been used to remotely connect to Wipro client systems, which were then used for further access into customer networks.

Investigators also found at least one of the compromised endpoints was attacked with an open-source tool called Mimikats that can dump passwords stored in the temporary memory cache of a Microsoft Windows device. And the source told Krebs that the vendor is still discovering newly hacked systems, which suggests that the systems may still be compromised, and additional hacked endpoints may still be undiscovered.

6 Ways To Identify Phishing Attack Emails

While the process of cyber criminals sending emails that appear to come from legitimate companies or individuals in order to gain access to private data (bank account numbers, passwords ...) seems like one of the oldest forms of internet criminality, why is it still so prevalent?

Simply put — because it still works. People will always be a target for hackers and attacks because of human nature and emotion. Even those who think they can spot one with ease are still at risk because of the level of sophistication and targeted nature of these attacks (which are on the rise).

So, given the similarities between genuine branded emails and phishing attacks, how can individuals recognize phishing attempts and avoid falling for them? Here are 6 ways to identify phishing scams:

  1. Look for Mismatched URLs and Redirects

Phishing attack emails often display links within the body of the fraudulent messages. Sometimes, people may see the address spelled out in the body, and then notice the target address is different when they put their cursors over the link before clicking it. In other cases, individuals might get redirected to strange websites after clicking on links in messages. Both of these scenarios are warning signs that a message is an attempt at phishing.

  1. Beware of Messages Conveying Unusual Urgency

A common quality of phishing attack emails is that they try to get people to behave haphazardly and not think through their actions. Sometimes, the approach is to tell recipients that they have won prizes and have to act fast to claim them before it is too late. Or the criminals might warn that people will have their accounts closed down unless they provide information immediately.

  1. Think Before Responding to Unauthorized Account-Related Emails

People who orchestrate phishing scams frequently try to lure their victims by mentioning how their accounts showed suspicious activity and got suspended. They continue by saying that people need to provide information to restore full functionality. Frequently, the fields for choosing and confirming new passwords appear directly in phishing attack emails.

  1. Be Suspicious of Messages Warning of Severe Consequences for Inaction

Hackers perpetually look for creative ways to impersonate unsuspecting users. Analysts believe there is even a risk of voice impersonation attempts with smart speakers and other devices that have microphones. There is already a tactic called vishing, where attackers threaten people with phishing messages over the telephone.

  1. Check for Spelling and Grammar Mistakes

Phishing attack emails exist globally, which means they may originate from people who speak languages other than English. When cybercriminals target businesses operating in English-speaking countries, they may not have the knowledge necessary to correct misspelled words or grammatical errors in emails.

  1. Beware of Minimalism

Given the amount of red flags thrown up by errors or inconsistencies in the text or content of a phishing email, some perpetrators hope to avoid giving the game away altogether by limiting text to a few words or none at all.

Lesson Learned: Always Have A Plan

We hear time and time again that it is not a matter of “if” we experience a cyber security breach, but “when.” The consensus is that everyone will eventually experience a breach, attack, or attempt, so having a plan in place on what to do is crucial for success. Hopefully, it will never have to be used, but as hackers become more diligent, security executives must do so as well.

As for Krebs, perhaps CISO at HarperCollins Publishing said it best in LinkedIn, “Baller move of the week goes to Brian Krebs for his dial-in to the Wipro earnings call. Companies need to own mistakes and learn from them.”  

See Related: “The Phishing Phenomenon: How To Keep Your Head Above Water