Wipro is the India’s largest IT outsourcing and consulting organizations.
The Flashpoint security researchers Jason Reaves, Joshua Platt and Allision Nixon, claimed that the hackers were active since 2015. Cyber attackers were using Remote access tool ‘Screenconnect’ to allegldy breached Wipro employee computers. Some of the malicious domain were hosting powerkatz and powersploit scripts used in Cyber attack.
Security researchers said, the threat actors to other malicious activity dating back to 2017, and possibly 2015, as well as the re-use of infrastructure from those older attacks. Last month, the malicious campaign had targeted some of Wipro employee accounts.
ScreenConnect is a remote access tool that can be used in support engagements or for remote meetings. Powerkatz is a PowerShell version of Mimikatz, a post-exploitation tool that is able to search memory for credentials, tokens, and other artifacts related to authentication. Powersploit, meanwhile, is a collection of PowerShell modules used during penetration-testing engagements to launch exploits at a target.
Flashpoint researchers analysis that a half-dozen were malicious domains hosting templates consistent with credential phishing attempts. The templates sought victims’ Windows usernames and passwords in order to allegedly access encrypted email.
The threat actors targeted the credentials of victims—in various industries—likely in order to gain access to the portals managing their gift card and rewards programs.
Reaves and Platt told Threatpost that the event underscores the security implications of third-party relationships.
“While most organizations seek out various types of third-party support in order to gain access to certain resources, cut costs, and/or boost efficiency, among other reasons, it’s important to consider that third parties can also increase the vectors and/or footprint through which a potential attack could transpire,” they noted. “If an organization chooses to work with a third-party vendor with insufficient security practices or capabilities, it will face the risk of being impacted by that vendor’s security posture.”
“Wipro can confirm that it was among the targets of a coordinated and advanced phishing campaign reportedly directed against several companies. As soon as we became aware of the campaign, we began an investigation, identified potentially affected users, promptly informed the customers with whom these employees were engaged and began taking remedial steps to contain and mitigate any potential impact,” the spokesperson said to DarkReading.
“We have applied additional security measures to further strengthen our systems, and continue to monitor our enterprise infrastructure at a heightened level of alertness. We have engaged an independent forensic firm to assist us in the investigation, while our partners in the security domain who have an understanding of our operations are supporting us in the remediation efforts”.