Sometimes, the attackers are just after money. That was the surprising takeaway from Flashpoint’s analysis of the attack that hit dozens of employees at IT consultancy Wipro.
The goal of the phishing operation that compromised dozens of Wipro employees and gave attackers access to more than 100 computers at the company appears to have been massive gift card fraud, wrote Flashpoint researchers Allison Nixon, Joshua Platt, and Jason Reaves. The attackers were interested in obtaining usernames and passwords of encrypted email accounts in order to access portals managing gift card and rewards programs.
The researchers looked at the domains used in the attack and found “a half-dozen” hosted templates that are typically used to harvest credentials. It is currently not known what the attackers ultimately did with the stolen credentials.
“The templates sought victims’ Windows usernames and passwords in order to allegedly access encrypted email,” wrote Platt, Nixon, and Reaves.
Well-Known Tools
Just because the attackers were focused on cyber-crime and not on industrial espionage doesn’t imply they didn't have any skills or special knowledge. The group abused a number of legitimate IT applications and well-known red-team penetration testing tools. The attackers were clearly familiar with how to use penetration testing tools and how to target specific parts of a corporate network.
The phishing component mimicked the look and feel of a security awareness training application, and the attackers installed remote access tool ScreenConnect (renamed to ConnectWise Control in 2017) on the compromised machines. ScreenConnect is much like RDP (Remote Desktop Protocol) as it gives support teams access to the machine without having to physically be present. Like other similar tools, ScreenConnect has been used in fraudulent tech support scams in the past.
“The phishing templates used to ensnare victims inside Wipro match those provided by a security awareness training provider,” wrote Reaves, Platt, and Nixon.
It’s ironic that employees were tripped up by an phishing attack which looked a lot like the training simulation.
It’s ironic that employees were tripped up by an phishing attack which looked a lot like the training simulation.
As for penetration testing tools, the domains used in the attack were hosting powerkatz and powersploit scripts. Powerkatz is a PowerShell version of Mimikatz, a tool for searching system memory for credentials, tokens, and other authentication-related artifacts. Powersploit is a collection of PowerShell modules used by penetration testers to launch exploits at a target.
"The threat actors also used a tool called powershell obfuscator in combination with one of multiple items within the powersploit framework. The obfuscator enables the actors to hide their code,” Flashpoint said.
The group behind this attack appears to have been operating since at least 2017, and possibly 2015, the researchers said. The group also reused the infrastructure, including PowerShell scripts, from previous incidents as part of this campaign.
The attackers installed remote administration tool Imminent Monitor on to victim machines. The malware was also used back in 2017 in a different campaign.
Piggyback Attacks
Wipro has been reticent to discuss details about the incident beyond confirming something had happened. KrebsOnSecurity’s Brian Krebs first reported the breach earlier in April and claimed at least 11 Wipro customers were affected in follow-up attacks. It appears attackers first compromised Wipro’s email server through a phishing attempt, and then pivoted to customer networks.
“We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign,” Wipro said at the time. “Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.”
As the largest IT outsourcing and consulting company in India, Wipro was a rich target, as its customer list includes tens of thousands of companies around the world. It is not known at this time what the attackers did in the customer networks.
Working with third-party providers and suppliers is an integral part of modern business operations. No organization can go it alone—which is why organizations have to assess partners’ security posture as well as their own.