[ad_1]
I am not a big fan of stories of stories, or of those who explore the ins and outs of denouncing a violation. But sometimes, I feel compelled to publish such accounts when companies respond to a report of violation so clearly that they would not know what to do with a data breach if it bit them in the nose, let alone embarrbaded in some cases. dark corner of their operations.
And yet, I'm writing again this week's second article about a serious security breach by an Indian company that provides IT support and outsourcing to a ridiculous number of large US companies (spoiler alert : the second part of this article contains some news about the investigation of violation).
KrebsOnSecurity announced Monday that several sources reported a violation of cyber security Wipro, the third largest IT service provider in India and one of the leading trusted IT outsourcing vendors for US companies. The story quoted reports from several anonymous sources that Wipro networks and trusted systems were being used to launch cyberattacks against the company's customers.
Wipro asked several days to investigate the request and make a public comment. Three days after my arrival, the quote I received from them did not recognize any of the concerns expressed by my sources. The statement did not even recognize a security incident.
Six hours after my story was told, saying that Wipro was about to react to a violation, the company was quoted in an Indian daily, recognizing a phishing incident. In its statement, the company claimed that its sophisticated systems had detected the offense internally and identified the employees involved, and that it had hired an external forensic science firm to investigate further.
Less than 24 hours after my story was released, Wipro executives were asked to respond to my reports at a quarterly investor conference call. Wipro Chief Operating Officer, Bhanu Ballapuram explained to investors that many details of my story were wrong, implying that the offense was limited to a few employees who were victims of phishing. The problem was described as a treaty and other journalists on the appeal discussed different topics.
At this point, I added a question to the call-out for the results conference call and had the opportunity to ask Wipro executives what part of my story was inaccurate. A Wipro manager then read pieces of a written declaration about their reaction to the incident, and the company's Chief Operating Officer agreed to arrange a one-on-one interview with KrebsOnSecurity to review the grievances about my story. Security reporter Graham Cluley was kind enough to record this bit of the call and post on Twitter.
In the follow-up call with Wipro, Ballapuram challenged my description that the offense had lasted "months", claiming that it had only been a few weeks since the company's employees had been phished by the attackers. I then asked when the company believed that phishing attacks had started and Ballapuram stated that he could not confirm the approximate date of onset of attacks beyond "weeks".
Ballapuram also claimed that his company had been hit by a "zero-day" attack. Current "zero-day" vulnerabilities involve software and / or hardware weaknesses that are quite rare and dangerous enough that even the manufacturer of the product in question does not understand until the vulnerability is discovered and exploited by attackers for personal gain.
Because zero day defects usually refer to a widely used software, it is generally considered a good form if such an attack occurs to share the details available with the rest of the world about how the attack seems to work – in the same way. you can hope that a patient with a highly infectious and unknown disease can nevertheless choose to help doctors diagnose how the infection could have been contracted and spread.
Until now, Wipro has ignored specific questions about the so-called zero day, aside from saying "based on our interim investigation, we have shared relevant zero-day information with our audio-visual system." [antivirus] provider and they have published the necessary signatures for us. "
I guess what Wipro means by "zero day" is a malicious attachment that has not been detected by any commercial antivirus tools before it infects Wipro employee malware systems.
Ballapuram added that Wipro had collected and circulated to the concerned customers a set of "compromise indicators", revealing clues to the tactics, tools and procedures used by the perverts likely to signify an attempt to "get the job done". successful intrusion.
A few hours after this call with Ballapuram, I heard about a large American company that collaborates with Wipro (at least for the moment). The source stated that his employer had decided to remove all online access from Wipro employees a few days after discovering that these Wipro accounts were being used to target his company's business.
The source said that the compromise metrics shared by Wipro with its customers came from a Wipro client targeted by the attackers, but that Wipro was transmitting them as if it was something the Wipro security team had itself. incorporated.
So let's recap Wipro's public response so far:
-Ignore the journalist's questions for days, then choose notes in his article at a public teleconference for the benefit of investors.
-Question the indicated time of the violation, but refuses to provide an alternative schedule.
-Diffuse the severity of the incident and characterize it as being managed, even if they have just resorted to an external forensic society.
-Tell the intruders have deployed a "zero day attack" and then refuse to discuss the details of this zero day.
-Claim the IoC that you share with the affected customers were discovered by you when they were not.
WHAT DO ATTACHEORS DO?
The criminals responsible for the violation of Wipro seem to want everything they can quickly turn into cash. One source I spoke to at a major retailer and a Wipro customer said that the scammers who broke Wipro had used their access to commit gift card fraud in the retailer's stores.
I guess it's a boon to Wipro, at least if it's also for its customers: an intruder more focused on IP extraction or other more strategic badets from Wipro's customers would probably have gone unnoticed much longer.
A source close to the investigation who asked not to be identified because he was not allowed to talk to the media, said the company hired by Wipro to investigate the dated violation of the first attacks by Phishing dated back to March 11, when only one employee had been phishing.
The source said that a subsequent phishing campaign conducted between March 16 and 19 had brought together an additional 22 Wipro employees, and that the provider investigating the incident had discovered up to now more than 100 Wipro terminals created with ScreenConnect, a legitimate remote access tool sold by Connectwise.com. . Investigators believe that intruders used ScreenConnect software on hacked Wipro systems to connect remotely to Wipro client systems, which were then used to optimize Wipro client network access.
In addition, investigators discovered that at least one of the compromised endpoint computers had been attacked with Mimikatz, an open source tool capable of dumping pbadwords stored in the temporary memory cache of ############################################################################### 39, a Microsoft Windows device.
The source also said the seller was still discovering recently hacked systems, suggesting that Wipro systems are still compromised and that other hacked end-to-end computers might not be discovered within Wipro.
Wipro has not yet responded to follow-up requests.
I'm sure there are smart, well meaning and capable people who care about security and work at Wipro, but I'm not convinced that these people are in management positions in the company. Perhaps the actions of Wipro as a result of this incident only reflect the reality of the fact that India currently has no law requiring that owners or data processors inform individuals in case of the offense.
Overall, I am willing to reduce this entire episode to a total lack of training on how to deal with the media, but if I were a Wipro customer, I would be more than concerned about the dumb nature of the company's response to date.
As a follower on Twitter Note"Openness and transparency speak of integrity and willingness to learn from mistakes. Do exactly the opposite, it feels quite different.
For the sake of transparency, here are some compromise indicators that Wipro customers are distributing about this incident (I had to get them from one of Wipro's partners, as the company refused to share IoC directly with KrebsOnSecurity).
Tags: Bhanu Ballapuram, Wipro data breach
This entry was posted on Wednesday, April 17th, 2019 at 13h56 and is filed under A Little Sunshine, Data Breaches.
You can follow the comments of this entry via the RSS 2.0 feed.
You can go to the end and leave a comment. Ping is currently not allowed.
[ad_2]
Source link
