Wipro breach highlights third-party risk from large IT services providers

After outsourcing giant Wipro suffered a phishing incident, attackers used its email system to target the company’s customers. The breach demonstrates the dangers of supply chain and third party risk.

6 handling email phishing
Getty Images

IT services outsourcing giant Wipro has been breached and some of its customers have been targeted by attackers as a result. Revealed by cybersecurity journalist Brian Krebs and later confirmed by the company, the attack was what Wipro described as advanced and persistent phishing emails involving “zero-day malware”.

The breach highlights the dangers third parties present, especially consultants that touch important systems for many of the largest companies in the world. In this case, attackers used Wipro’s own systems to launch phishing attacks against its customers.

Phishing exploit made Wipro a platform to attack some customers

According to Krebs, the company’s IT systems have been compromised and are being used by the attackers to launch phishing attacks on “at least a dozen Wipro customer systems.” It is unknown if any of these customers have suffered a breach as a result. Multiple unnamed sources say Wipro customers have traced malicious activity back to systems communicating directly with Wipro’s corporate email network. Because of that compromise, Krebs also reports that Wipro is building a new private email network.

Wipro has confirmed to Reuters and others that an attack did take place but has not confirmed or denied many of the points made by Krebs. Affected customers haven’t been named, but Wipro serves a number of Fortune 500 companies.

In its earnings call this week, Wipro’s Chief Executive of Application Services and Strategic Alliances Bhanumurthy B.M. said “a few employee accounts were subjected to an advanced and persistent phishing campaign” involving a “zero-day malware attack.” Since becoming aware of the attack, the company has identified and isolated affected employee accounts, taken “remedial steps” to contain and mitigate any impact of the attack, shared antivirus signatures with partners and is in communication with “the handful of customers the affected employees engaged with.”

His comments were also released in a statement posted to Twitter. In a further statement emailed to journalists, the company says it has retained a “well-respected, independent forensic firm” to assist the investigation and is continuing to monitor its infrastructure “at a heightened level of alertness.”

Further updates from Krebs suggest that attackers used ConnectWise Control (formerly ScreenConnect), a remote access tool sold by Connectwise.com, to connect to Wipro client systems in an effort to conduct gift card fraud. Other outsourcers such as Avanade, Capgemini, Cognizant, Infosys, PCM, Rackspace and Slalom may have also been targeted in the same campaign. Avande and Capgemini confirmed employee accounts were compromised but both say there was no impact on clients. Indicators of compromise suggesting potentially malicious activity have been posted online.

Third-party risk a growing issue

Risk around third-party and supplier security is becoming an increasingly important issue. Ponemon’s Institute Cyber Risk report found that misuse or unauthorized sharing of confidential data by third parties was the second biggest security worry for 2019 among IT professionals, while Carbon Black’s most recent incident response threat report claims half of attacks are leveraging supply chains.

In the case of outsourcers, consultancies, and systems integrators such as Wipro, these third parties have knowledge of – and often access to – some of the most sensitive and mission-critical parts of the business, plus the contact details for people within organizations responsible for those systems.

“Since Wipro was being used to provide IT services, you can assume they were trusted with credentials to access a number of their client's systems and may have been maintaining their clients' databases," says Stephen Breidenbach, Privacy, cybersecurity and technology attorney at Moritt Hock & Hamroff. "This could allow for compromises of critical assets such as company databases which would not be accessible by normal employees.”

“Businesses assume too much with even small IT vendors,” Breidenbach adds. “Many believe their IT professional is also an information security professional, and this is usually wrong. Just because you are hiring a large IT vendor doesn't mean they will have the best security. It really depends on the company.”

This is not the first security incident suffered by Wipro or other major consultancies in recent years. UK broadband provider TalkTalk was fined £500,000 ($650,000) by the ICO after Wipro employees hired to handle customer complaints took the data of 21,000 customers to conduct scam phone calls designed to harvest banking details. In 2017 Deloitte suffered an attack on an email server containing details of as many as 350 clients including the U.S. departments of state, energy, homeland security and defense, as well as FIFA and numerous banks, airlines, car manufacturers, energy and pharmaceutical companies. The same year saw Accenture leave four AWS S3 storage buckets unsecured and publicly downloadable, revealing information around its Accenture Cloud Platform customers. 

Last year, Maritz Holdings, which provides reward schemes, sued Cognizant after it fell victim to a cyber-attack involving phishing emails sent from compromised Cognizant accounts shared by rogue employees. 

“The knock-on effect [of the Wipro attack] could create a significant risk for companies downstream in the supply chain,” says Cesar Cerrudo, CTO of IOActive. “Hackers appear to be using Wipro employee accounts to target their customers – by using trusted and known accounts in this way the hacker increases the likelihood that their attack will bypass security and land on the customer system. These type of attacks are incredibly difficult to defend against, as trust is essential part of any partnership.”

As well as the risk to your own systems, the likes of GDPR also have requirements around vetting the security posture of suppliers, meaning the consequences of any of leak of your data by your supply chain can still be laid at your door. With this in mind, strict vetting and ongoing management of third parties should be high on the list of priorities for any organization when dealing with outsourcers.

 “The Wipro attack highlights the growing vulnerability of modern organizations as criminals target suppliers and partners and flags why reviewing the complete supply chain is critical when addressing cyber risk,” adds Richard Hunt, managing director at risk management consultancy Turnkey Consulting. “Vendor onboarding processes should include validation that an enterprise has security provision in place that protects both themselves and a partner organization's data."

When looking at making agreements with the likes of outsourcers, system integrators, and MSPs, Breidenbach says companies must properly vet companies you plan to work with as you would any supplier, ask the appropriate questions, and make sure contracts include "appropriate clauses so that the risk is acceptable to your business."

“To protect your business, you need to make sure the agreement you have with your vendor, includes language that ensures they implement appropriate safeguards and also addresses how they will handle your data (both during and when the relationship ends),” Breidenbach advises. “Further, there are also a number of other provisions that should be considered, such as audit rights and notification requirements, and might also need to vet the vendors that the company uses to help provide their services to you. Before hiring them, you should also conduct an online search for information on your vendor and check their negative reviews for patterns.”

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)