Security Week 17: Supply Chain Attacks
In early April, we discussed the ShadowHammer attack on Asus laptops as an example of a malware campaign using a supply chain. Attacks on the supply chain are of particular interest to researchers and a particular danger to business precisely because they compromise trusted communication channels. Buying a computer that is already infected somehow, hacking a subcontractor with access to the client’s corporate resources, distributing an infected version of the software from an official developer’s site are typical examples of attacks on a supplier chain.
The problem may be even more serious when the victim is a company that provides you with remote IT infrastructure services or provides services for software development and implementation of IT systems. Outsourcing these tasks to third parties is a common practice. Last week, it became known about the attack on the Indian company Wipro, a major provider of IT services. First, the independent journalist Brian Krebs wrote about the compromise of the Wipro corporate network, and then the information was confirmed in the company itself ( news , article by Brian).
Wipro is a very large provider of IT services with a turnover of $ 8 billion a year and tens of thousands of customers around the world, including reputable companies and government agencies. The number of employees exceeds 170 thousand. Examples of projects mentioned in the media: implementing an ERP system, updating the infrastructure for processing medical insurance policies, implementing customer support systems. Complex projects of this level require wide access for company representatives to the corporate network of customers.
What reliably happened in the company in March 2019 is unknown: journalist Brian Krebs is based on anonymous sources on the side of Wipro customers, and the company itself does not disclose details in its statements. Except for one: phishing became the initial method of penetrating the company’s corporate network. Allegedly, the attackers managed to gain access to the computer of one of the company's employees, which was then used to attack other employees. The legitimate software ScreenConnect was used for remote control of end devices - according to a source who participated in the investigation, it was found on hundreds of computers that had access both to the Wipro internal network and to the infrastructure of the company's customers.
But this is according to "anonymous" sources. Officially, in a commentary to the India Times, Wipro representatives only acknowledged the success of the phishing attack and announced the hiring of independent experts to conduct the investigation. Later, during negotiations with investors (according to Krebs), a company representative described the incident as a “zero-day attack”.
Krebs sources hint that there was nothing complicated in this attack. Quickly (in several weeks) it was tracked due to the fact that the attackers began to use the newly obtained access to the company's infrastructure for fraud with gift cards of retail chains. People with serious intentions, not exchanging for such trifles, could remain undetected much longer.
At least in a public field, Wipro’s reaction to the incident was, to put it mildly, not ideal: they didn’t recognize the problem for a long time, they didn’t provide details of the attack, they made opposite statements (phishing, then ziro-dei). The maximum possible transparency in the disclosure of information about cyber incidents becomes not only the ethical norm for business, but also gradually turns into a legislative requirement in many countries. One way or another, at least one client of the company chose to block access to their own IT systems to all Wipro employees until the investigation is completed. The Indian organization itself is working on introducing more secure corporate email.
For supply chain attacks, a detailed description of the attack and a sober assessment of the damage done are especially important. Not for the media to write about it - it is important for the clients of the affected company to understand what happened and what steps should be taken to protect themselves. A recent study shows that in about half the cases, attackers try to use the hacked infrastructure of one company to attack other organizations.
To protect against such attacks, it is worth re-evaluating the degree of trust in third-party service companies. A case in point is the incident with Microsoft's email services last week ( news) The company proactively sent out recommendations to change the password of some users of the Outloook, Hotmail and MSN email services. As it turned out, the attackers hacked the account of one of the counterparties that provide user technical support services. Such counterparties do not have access to mailbox passwords, but they can view some of the content - message topics, respondent addresses, lists of mail folders. In some cases, according to the Motherboard website, attackers could gain access to the contents of letters. Although the attackers' access was blocked, it is impossible to assess how much data was in their hands and how it will be used in the future.
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.
The problem may be even more serious when the victim is a company that provides you with remote IT infrastructure services or provides services for software development and implementation of IT systems. Outsourcing these tasks to third parties is a common practice. Last week, it became known about the attack on the Indian company Wipro, a major provider of IT services. First, the independent journalist Brian Krebs wrote about the compromise of the Wipro corporate network, and then the information was confirmed in the company itself ( news , article by Brian).
Wipro is a very large provider of IT services with a turnover of $ 8 billion a year and tens of thousands of customers around the world, including reputable companies and government agencies. The number of employees exceeds 170 thousand. Examples of projects mentioned in the media: implementing an ERP system, updating the infrastructure for processing medical insurance policies, implementing customer support systems. Complex projects of this level require wide access for company representatives to the corporate network of customers.
What reliably happened in the company in March 2019 is unknown: journalist Brian Krebs is based on anonymous sources on the side of Wipro customers, and the company itself does not disclose details in its statements. Except for one: phishing became the initial method of penetrating the company’s corporate network. Allegedly, the attackers managed to gain access to the computer of one of the company's employees, which was then used to attack other employees. The legitimate software ScreenConnect was used for remote control of end devices - according to a source who participated in the investigation, it was found on hundreds of computers that had access both to the Wipro internal network and to the infrastructure of the company's customers.
But this is according to "anonymous" sources. Officially, in a commentary to the India Times, Wipro representatives only acknowledged the success of the phishing attack and announced the hiring of independent experts to conduct the investigation. Later, during negotiations with investors (according to Krebs), a company representative described the incident as a “zero-day attack”.
Krebs sources hint that there was nothing complicated in this attack. Quickly (in several weeks) it was tracked due to the fact that the attackers began to use the newly obtained access to the company's infrastructure for fraud with gift cards of retail chains. People with serious intentions, not exchanging for such trifles, could remain undetected much longer.
At least in a public field, Wipro’s reaction to the incident was, to put it mildly, not ideal: they didn’t recognize the problem for a long time, they didn’t provide details of the attack, they made opposite statements (phishing, then ziro-dei). The maximum possible transparency in the disclosure of information about cyber incidents becomes not only the ethical norm for business, but also gradually turns into a legislative requirement in many countries. One way or another, at least one client of the company chose to block access to their own IT systems to all Wipro employees until the investigation is completed. The Indian organization itself is working on introducing more secure corporate email.
For supply chain attacks, a detailed description of the attack and a sober assessment of the damage done are especially important. Not for the media to write about it - it is important for the clients of the affected company to understand what happened and what steps should be taken to protect themselves. A recent study shows that in about half the cases, attackers try to use the hacked infrastructure of one company to attack other organizations.
To protect against such attacks, it is worth re-evaluating the degree of trust in third-party service companies. A case in point is the incident with Microsoft's email services last week ( news) The company proactively sent out recommendations to change the password of some users of the Outloook, Hotmail and MSN email services. As it turned out, the attackers hacked the account of one of the counterparties that provide user technical support services. Such counterparties do not have access to mailbox passwords, but they can view some of the content - message topics, respondent addresses, lists of mail folders. In some cases, according to the Motherboard website, attackers could gain access to the contents of letters. Although the attackers' access was blocked, it is impossible to assess how much data was in their hands and how it will be used in the future.
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.