Wipro Data Breach Attackers Were Active Since 2015, Security Researchers Claim

Wipro last month revealed an advanced phishing campaign that had targeted some of its employee accounts. While the IT giant didn't detail the infiltration, researchers at business risk intelligence firm Flashpoint have now claimed that the hackers were active in the shadows for some time. The researchers also discovered that many legitimate security applications were abused during the phishing campaign. The attackers were also found to have used remote access tool ScreenConnect to allegedly compromise employee machines within Wipro. Cyber-security blog KrebsOnSecurity first reported the data breach impacting the network of Wipro last month. The company itself confirmed the attack at a later stage.

Flashpoint researchers Jason Reaves, Joshua Platt, and Allison Nixon in a detailed blog post have pointed out that the Wipro breach reported last month impacted many legitimate security applications. During initial research, it has been found that the attackers could be linked to older malicious activities from 2017 and even possibly 2015, and had reused most of the infrastructure of previous attacks for their current ones.

The attackers used ScreenConnect on the machines they comprised within Wipro, while some of the domains used during the attack were hosting Powerkatz and Powersploit scripts, the researchers noted.

"Dozens of Wipro employees were victims of phishing attacks, and the threat actors gained access to more than 100 Wipro computer systems," the researchers said in the blog post. "The ultimate aim of the group behind the Wipro attack appears to be gift-card fraud."

The Flashpoint researchers also underlined that through the analysis of the indicators of compromise (IOCs), a half-dozen of the malicious domains were hosting templates consistent with credential phishing attempts. Those templates are claimed to have helped attackers access encrypted email by exploiting the usernames and passwords of the affected machines.

Wipro hasn't yet divulged the technologies behind the phishing campaign. However, at the time of investing the campaigns internally, the Flashpoint analysts found evidence of attempts to spread malware called Imminent Monitor. A Word document containing and message and attachment matching the name structure of a campaign back in 2017 was also spotted by the analysts.

"The document contained a URL that redirected to a file hosted at flexmail[.]tv, which appeared to have been used multiple times to deliver documents and payloads in other campaigns," the researchers explained. "The email header, meanwhile, revealed an IP address, 123.242.230[.]14, that showed multiple malware samples communicating to it that were identified as the Netwire remote access Trojan."

In an email interview with Threatpost, Reaves and Platt said that the main takeaway was the actors behind the Wipro breach were not new and had been operating under the radar for some time -- much longer, in fact, than the 2019-2018 recent events suggests. The researchers also claimed that their research suggested that attack wasn't particularly "advanced", which is unlike what Wipro mentioned in its public release last month, since the actors involved apparently had a "strong understanding of corporate relationships and environments" and had "considerable" infrastructure to attack.

KrebsOnSecurity in its blog post last month had said the systems at Wipro were being used to target at least a dozen customer systems. "We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign," Wipro had said in an emailed statement to the media while publicly announcing the attack.