Not recognizing a data breach – Krebs on Security


I'm not a big fan of stories about stories, or those who explore the intricacies of reporting a violation. But occasionally I feel compelled to publish those accounts when companies respond to a violation report in such a way that it is clear they would not know what to do with a data breach if they bite on the nose, let alone infected somewhere. dark corner of its operations.

And yet here I am again writing this week's second report about a possibly serious security breach at an Indian company that provides IT support and outsourcing to a ridiculous number of large US corporations (spoiler warning: the second half of this story really does contain quite a bit of news about the rape investigation).

On Monday, KrebsOnSecurity broke the news that several sources were reporting a cyber security breach in Wipro, India's third-largest IT service provider and a leading trusted IT outsourcing provider to US companies. The report cited reports from several anonymous sources that Wipro's trusted networks and systems were being used to launch cyber attacks against the company's customers.

Wipro asked many days to investigate the request and formulate a public comment. Three days after I got in touch, the quote I just received from them did not acknowledge any of the concerns raised by my sources. Nor did the statement even acknowledge a security incident.

Six hours after my report ran that Wipro was in the midst of responding to a violation, the company was quoted in an Indian daily newspaper acknowledging a phishing incident. The company's statement claimed that its sophisticated systems detected the violation internally and identified the affected employees, and hired an external digital forensic company to investigate further.

Less than 24 hours after my story was published, Wipro executives were asked in a quarterly teleconference with investors to respond to my reports. Director of Operations for Wipro, Bhanu Ballapuram told investors that many of the details of my story were wrong and implied that the violation was limited to some employees who were robbed. The subject was characterized as a treaty, and other journalists on the call have switched to different topics.

At that point, I added a question to the earnings conference call queue and had the opportunity to ask the Wipro executives what parts of my story were inaccurate. A Wipro executive then began reading pieces of a written statement about his response to the incident, and the company's chief operating officer agreed to make an individual call with KrebsOnSecurity to address the reported claims about my story. Security reporter Graham Cluley was kind enough to record this little bit of the call and post it on Twitter.

In the follow-up call with Wipro, Ballapuram The company disagreed with my characterization that the rape lasted "months," claiming that it had only been a matter of weeks since company employees were physically hit by the invaders. So I asked when the company believed that the phishing attacks began, and Ballapuram said it could not confirm the approximate start date of the attacks beyond the "weeks".

Ballapuram also said his corporation was hit by a "zero day" attack. Real zero-day vulnerabilities involve infrequent and quite dangerous weaknesses in software and / or hardware that even the creator of the product in question does not understand before the vulnerability is discovered and exploited by the intruders for private gain.

Because zero-day crashes often refer to widely used software, it's generally considered a good way if someone experiences such an attack to share any details available with the rest of the world about how the attack seems to work – in the same way you can expect that a sick patient suffering from some unknown and highly infectious disease may, however, choose to help doctors diagnose how the infection may have been detected and disseminated.

Wipro has so far ignored specific questions about the alleged zero-day, in addition to saying that "based on our provisional investigation, we shared the relevant zero-day information with our AV [antivirus] provider and they have released the necessary signatures for us. "

My guess is that what Wipro means by "zero day" is a malicious e-mail attachment that was not detected by all commercial antivirus tools before infecting Wipro's employee systems with malware.

Ballapuram added that Wipro has assembled and disseminated to affected clients a set of "commitment indicators", revealing clues about tactics, tools and procedures used by thugs that can mean an attempted or successful invasion.

Hours after the connection with Ballapuram, I heard from a large US company that is a partner of Wipro (at least for now). The source said his employer opted to cut off all online access to Wipro employees a few days after discovering that these Wipro accounts were being used to direct their company's operations.

The source said that the indicators of commitment that Wipro shared with its customers came from a Wipro customer who was targeted by the attackers but that Wipro was sending the indicators to customers as if it were something that Wipro's security team had created alone.

So let's recap the public response of Wipro so far:

– Ignore the reporter's questions for days and then choose nits in your story during a conference call with public investors.
– Ask the stated date of the violation, but refuse to provide an alternate timeline.
– Demonstrate the seriousness of the incident and characterize it as a treatise, even when they hired only an external forensic firm.
Explain that the intruders have implemented a "zero-day attack" and then refuse to discuss details of the said zero-day.
-Question that the IoCs you are sharing with affected customers were discovered by you when they were not.

What did the athletes do?

The criminals responsible for the Wipro breach appear to be behind anything that could turn into cash quickly. A source I told a large retailer and Wipro customer said that the criminals who invaded Wipro used their access to perpetrate gift card fraud in the retailer's stores.

I suppose this is interesting to Wipro, at least if not to its customers too: an intruder more focused on extracting intellectual property or other strategic assets from Wipro's customers would probably not have been detected for a much longer period.

A source close to the investigation, who asked not to be identified because she was not authorized to speak to the press, said the company contracted by Wipro to investigate the violation dated the first phishing attacks until March 11 when a single employee was beaten .

The source said that a subsequent phishing campaign between March 16 and 19 attracted 22 additional Wipro employees and that the vendor investigating the incident has so far discovered more than 100 Wipro endpoints that were seeded with ScreenConnect, a remote access tool sold by . Investigators believe the attackers were using ScreenConnect software on Wipro systems to remotely connect to Wipro's client systems, which were used to leverage access to Wipro's client networks.

In addition, researchers have discovered that at least one of the compromised endpoints has been attacked with Mimikatz, an open source tool that can dump passwords stored in the temporary memory cache of a Microsoft Windows device.

The source also said the vendor is still discovering newly hacked systems, suggesting that Wipro's systems are still compromised and that additional hacked terminals may still be unknown within Wipro.

Wipro has yet to respond to follow-up requests for comments.

I'm sure there are intelligent, well-meaning and capable people who care about security and who happen to work at Wipro, but I'm not convinced that any of these individuals are employed in leadership positions in the company. Perhaps Wipro's actions following this incident only reflect the reality that India does not currently have laws requiring owners or data processors to notify individuals in case of violation.

Overall, I'm willing to describe this entire episode to a complete lack of training in dealing with the media, but if I were a Wipro customer I would be more than a little concerned about the deaf nature of the company's response so far.

As a follower on Twitter commented"Openness and transparency speak of integrity and a willingness to learn from mistakes. Doing the exact opposite is something completely different. "

In the interest of openness, here are some compromise indicators that Wipro's customers are distributing on this incident (I had to get them from one of Wipro's partners because the company refused to share the IoCs directly with KrebsOnSecurity).

Tags: Bhanu Ballapuram, Wipro data breach

This entry was posted on Wednesday, April 17th, 2019 at 1:56 pm and is filed under A Little Sunshine, Data Breaches.
You can follow any comments for this entry through the RSS 2.0 feed.

You can skip to the end and leave a comment. Pinging is currently not allowed.


Source link