The adversaries have the hallmarks of an advanced, organized group, with well-established infrastructure.
New details are emerging in the April attack on systems consulting behemoth Wipro, which saw its network hacked and used for mounting attacks on a dozen of its customers. In a fresh analysis of the indicators of compromise (IOCs), Flashpoint analysts said that the cyberattackers have actually been operating in the shadows for some time – and that the Wipro incident is only its latest effort.
Researchers also uncovered that the adversaries used a range of legitimate security applications during the campaign; and, that the threat group appears to have been looking to carry out mass gift card fraud.
In the attack, the adversaries appeared to compromise the company’s email server via a successful phishing attempt, before pivoting to reach out to partner networks. The company represents a target-rich environment for this kind of supply-chain attack: It works with tens of thousands of companies, including Fortune 500 clients, on technology outsourcing projects around the globe (last year passing $8 billion in annual run rate).
“We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign,” the company said in a media statement at the time. “Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.”
Flashpoint researchers Jason Reaves, Joshua Platt and Allison Nixon in the analysis posted on Wednesday, found evidence linking the threat gang behind the Wipro incident to malicious activity dating back to 2017, and possibly 2015. For instance, the attackers were planting Imminent Monitor, a remote administration tool, on victim machines.
“Flashpoint was able to pivot off the file name and locate other campaigns associated with the activity, in particular, a hash which led to a Word document containing a message and attachment matching the naming structure of a campaign in 2017,” the researchers explained.
That document, they said, contained a URL that redirected to a file hosted at a URL that has been a fixture in other campaigns (flexmail[.]tv).
“The main takeaway is the actors behind the Wipro breach are not new and have been operating under the radar for some time—much longer, in fact, than the 2019-2018 recent events suggest,” Reaves and Platt told Threatpost in an email interview.
The group also shows hallmarks of being on the advanced side, as the ability to infiltrate a massive corporation would suggest.
“In Wipro’s public release, the company mentioned an advanced phishing attack,” the researchers told Threatpost. “While our research does not suggest the attack was particularly advanced, the actors involved do appear to have a strong understanding of corporate relationships and environments as well as considerable attack infrastructure. They show a degree of sophistication that is more commonly seen among organized groups.”
The team said that the attackers abused numerous legitimate tools in the campaign, including ScreenConnect, which is a remote access tool that can be used in support engagements or for remote meetings and can be used for IT support; Powerkatz, which is a PowerShell version of the Mimikatz tool that is able to search memory for credentials, tokens and other artifacts related to authentication; and Powersploit, a collection of PowerShell modules used during penetration testing.
“The phishing templates used to ensnare victims inside Wipro match those provided by a security awareness training provider,” the researchers wrote. “The attackers also dropped ScreenConnect on the machines it compromised inside Wipro, and some of the domains used in the attack were hosting Powerkatz and Powersploit scripts.”
The email header, meanwhile, revealed an IP address, 123.242.230[.]14, that showed multiple malware samples communicating to it that were identified as the Netwire remote access trojan(RAT).
“The attackers are familiar with pen-testing tools and are likely targeting specific pieces of infrastructure within corporate environments,” Reaves and Platt told Threatpost. “Once they are able to acquire access, they know what tasks they are trying to accomplish – when the phishing emails go out, they already have an end goal.”
Meanwhile, fraud seems to have been the ultimate goal, rather than corporate espionage; in looking at the phishing domains, the analysts found them to be hosting templates consistent with credential phishing attempts.
“The templates sought victims’ Windows usernames and passwords in order to allegedly access encrypted email,” according to the researchers. “The threat actors targeted the credentials of victims—in various industries—likely in order to gain access to the portals managing their gift card and rewards programs.”
Reaves and Platt told Threatpost that the event underscores the security implications of third-party relationships.
“While most organizations seek out various types of third-party support in order to gain access to certain resources, cut costs, and/or boost efficiency, among other reasons, it’s important to consider that third parties can also increase the vectors and/or footprint through which a potential attack could transpire,” they noted. “If an organization chooses to work with a third-party vendor with insufficient security practices or capabilities, it will face the risk of being impacted by that vendor’s security posture.”