In April of this year various reports suggested that Indian IT outsourcing and consulting services giant Wipro experienced a significant breach affecting some of the companies it provided services to. Krebs On Security first reported the breach, based on accounts from various sources claiming that state-backed hackers had been lurking on Wipro’s network for months and that the threat actors had used their presence on Wipro’s network to attack at least 12 of its customers, making the breach a supply-chain attack.
A recent report by RiskIQ indicates that the Wipro breach was part of a much larger campaign that has been active since 2016. The researchers observed 5 campaigns between mid-2016 and the first half of 2019. The targeted organizations were mostly gift card retailers, distributors, and card processors, and the attacks followed a more or less fixed ‘kill chain.’
In the first stage of the attack, the threat actors used relatively generic phishing emails to target organizations dealing in gift cards. The phishing emails were made using the standard phishing platform techniques that allows for the automated creation of phishing pages and the generation of SSL certificates to make the pages seem legitimate. The attackers also used various digital marketing solutions for phishing email link-tracking.
As part of the infiltration phase, the campaigns relied on legitimate tools such as ScreenConnect (for obtaining remote control over a machine) and the EMCO Remote Installer (for installing tools on compromised machines). These tools were use together with a number of publicly available PowerShell scripts including BabySharkPro. These scripts were used for stealing credentials and certificates. While BabySharkPro is frequently linked to North Korean hacking campaigns, the report notes that “this may have been a false flag put in place by the actors to mislead researchers.” In any case, the use of legitimate tools made the campaigns very hard to detect.
Once the attackers had successfully infiltrated the gift card infrastructure they were targeting, “they went on to use money transfer services, clearinghouses, and other payment processing institutions” in order to monetize their access, which strongly implies that the campaigns were all financially motivated.
The researchers believe that the Wipro attack was part of an attempt by the threat group “to widen its reach” by going after IT infrastructure firms.
The report is worth reading in full because the various potential indicators of compromise (IOCs) it lists can help organizations detect sophisticated campaigns like the one that hit Wipro.