17
Apr 19

How Not to Acknowledge a Data Breach

I’m not a huge fan of stories about stories, or those that explore the ins and outs of reporting a breach. But occasionally I feel obligated to publish such accounts when companies respond to a breach report in such a way that it’s crystal clear they wouldn’t know what to do with a data breach if it bit them in the nose, let alone festered unmolested in some dark corner of their operations.

And yet, here I am again writing the second story this week about a possibly serious security breach at an Indian company that provides IT support and outsourcing for a ridiculous number of major U.S. corporations (spoiler alert: the second half of this story actually contains quite a bit of news about the breach investigation).

On Monday, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, the third-largest IT services provider in India and a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were being used to launch cyberattacks against the company’s customers.

Wipro asked me to give them several days to investigate the request and formulate a public comment. Three days after I reached out, the quote I ultimately got from them didn’t acknowledge any of the concerns raised by my sources. Nor did the statement even acknowledge a security incident.

Six hours after my story ran saying Wipro was in the throes of responding to a breach, the company was quoted in an Indian daily newspaper acknowledging a phishing incident. The company’s statement claimed its sophisticated systems detected the breach internally and identified the affected employees, and that it had hired an outside digital forensics firm to investigate further.

Less than 24 hours after my story ran, Wipro executives were asked on a quarterly investor conference call to respond to my reporting. Wipro Chief Operating Officer Bhanu Ballapuram told investors that many of the details in my story were in error, and implied that the breach was limited to a few employees who got phished. The matter was characterized as handled, and other journalists on the call moved on to different topics.

At this point, I added a question to the queue on the earnings conference call and was afforded the opportunity to ask Wipro’s executives what portion(s) of my story was inaccurate. A Wipro executive then proceeded to read bits of a written statement about their response to the incident, and the company’s chief operating officer agreed to have a one-on-one call with KrebsOnSecurity to address the stated grievances about my story. Security reporter Graham Cluley was kind enough to record that bit of the call and post it on Twitter.

In the follow-up call with Wipro, Ballapuram took issue with my characterization that the breach had lasted “months,” saying it had only been a matter of weeks since employees at the company had been successfully phished by the attackers. I then asked when the company believed the phishing attacks began, and Ballapuram said he could not confirm the approximate start date of the attacks beyond “weeks.”

Ballapuram also claimed that his corporation was hit by a “zero-day” attack. Actual zero-day vulnerabilities involve somewhat infrequent and quite dangerous weaknesses in software and/or hardware that not even the maker of the product in question understands before the vulnerability is discovered and exploited by attackers for private gain.

Because zero-day flaws usually refer to software that is widely in use, it’s generally considered good form if one experiences such an attack to share any available details with the rest of the world about how the attack appears to work — in much the same way you might hope a sick patient suffering from some unknown, highly infectious disease might nonetheless choose to help doctors diagnose how the infection could have been caught and spread.

Wipro has so far ignored specific questions about the supposed zero-day, other than to say “based on our interim investigation, we have shared the relevant information of the zero-day with our AV [antivirus] provider and they have released the necessary signatures for us.”

My guess is that what Wipro means by “zero-day” is a malicious email attachment that went undetected by all commercial antivirus tools before it infected Wipro employee systems with malware.

Ballapuram added that Wipro has gathered and disseminated to affected clients a set of “indicators of compromise,” telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.

Hours after that call with Ballapuram, I heard from a major U.S. company that is partnering with Wipro (at least for now). The source said his employer opted to sever all online access to Wipro employees within days of discovering that these Wipro accounts were being used to target his company’s operations.

The source said the indicators of compromise that Wipro shared with its customers came from a Wipro customer who was targeted by the attackers, but that Wipro was sending those indicators to customers as if they were something Wipro’s security team had put together on its own.

So let’s recap Wipro’s public response so far:

-Ignore reporter’s questions for days and then pick nits in his story during a public investor conference call.
-Question the stated timing of breach, but refuse to provide an alternative timeline.
-Downplay the severity of the incident and characterize it as handled, even when they’ve only just hired an outside forensics firm.
-Say the intruders deployed a “zero-day attack,” and then refuse to discuss details of said zero-day.
-Claim the IoCs you’re sharing with affected clients were discovered by you when they weren’t.

WHAT DID THE ATTACKERS DO?

The criminals responsible for breaching Wipro appear to be after anything they can turn into cash fairly quickly. A source I spoke with at a large retailer and Wipro customer said the crooks who broke into Wipro used their access to perpetrate gift card fraud at the retailer’s stores.

I suppose that’s something of a silver lining for Wipro at least, if not also its customers: An intruder that was more focused on extracting intellectual property or other more strategic assets from Wipro’s customers probably could have gone undetected for a much longer period.

A source close to the investigation who asked not to be identified because he was not authorized to speak to the news media said the company hired by Wipro to investigate the breach dated the first phishing attacks back to March 11, when a single employee was phished.

The source said a subsequent phishing campaign between March 16 and 19 netted 22 additional Wipro employees, and that the vendor investigating the incident has so far discovered more than 100 Wipro endpoints that were seeded with ScreenConnect, a legitimate remote access tool sold by Connectwise.com. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.

Additionally, investigators found at least one of the compromised endpoints was attacked with Mimikatz, an open source tool that can dump passwords stored in the temporary memory cache of a Microsoft Windows device.

The source also said the vendor is still discovering newly-hacked systems, suggesting that Wipro’s systems are still compromised, and that additional hacked endpoints may still be undiscovered within Wipro.

Wipro has not yet responded to follow-up requests for comment.

I’m sure there are smart, well-meaning and capable people who care about security and happen to work at Wipro, but I’m not convinced any of those individuals are employed in leadership roles at the company. Perhaps Wipro’s actions in the wake of this incident merely reflect the reality that India currently has no laws requiring data owners or processors to notify individuals in the event of a breach.

Overall, I’m willing to chalk this entire episode up to a complete lack of training in how to deal with the news media, but if I were a customer of Wipro I’d be more than a little concerned about the tone-deaf nature of the company’s response thus far.

As one follower on Twitter remarked, “openness and transparency speaks of integrity and a willingness to learn from mistakes. Doing the exact opposite smacks of something else entirely.”

In the interests of openness, here are some indicators of compromise that Wipro customers are distributing about this incident (I had to get these from one of Wipro’s partners as the company declined to share the IoCs directly with KrebsOnSecurity).

Tags: ,

112 comments

  1. Brian, just wanted to drop a comment and say thank you for keeping at this. realizing not a lot of ppl understand the significance of these stories – hopefully more will.

    worked with outsourced resources from all over the world – for many years. believe this is the tip of the iceberg.

    • Thanks, Dave. As I said at the outset, I didn’t want to write this story; I felt compelled to write this follow-up story because everything I’ve heard so far is a tad frightening.

  2. Needless to say that Wipro execs are lying through their teeth.They know they are pwned and know the damage they have caused their clients. I figure its well into the tens of millions. The clients probably will sue Wipro into the ground, rightfully so. Although some blame is due to the clients for choosing to outsouce such important functions to such a con job company.

    • Unlikely. The service contracts will have indemnity clauses that require arbitration out of court and NDA’s covering the settlements so you will likely never hear any outcomes.

    • Well said. I was trying to think about how to say exactly that – but you said it sooner and better.

    • They won’t sue in general, otherwise it’s very bad PR for them.

  3. Wipro’s lack of concern for protecting their employee and customer data seems atrocious.

    I couldn’t help but laugh when they blamed their lack of phishing awareness to a breach caused from a zero-day. Nothing about that story or threat actor seemed highly skilled beyond any common phishing campaign, let alone a targeted zero-day attack.

    Maybe they need to lose a large amount of customers in order to realize how serious they should have taken security into consideration.

  4. From everything I have read about Wipro’s official comments regarding this incident, as well as the interview their recently acquired CSO gave, I have to say they must have a list laying around that contains all the latest security buzzwords, without a clue as to what they mean.

    The whole concept of ‘frictionless security’ – where business objectives trump risk management is exactly the paradigm that leads to these kinds of breaches.

    • Exactly. I believe that the business objectives should align to risk management whenever possible, but I know that’s not always the major concern for a lot of companies. Risk management, especially cyber risk management, should never take the back seat in today’s society… just look what it gives you. They will probably lose a lot of clients due to this–and rightfully so.

      • While I truly feel they DESERVE to lose a lot of clients over this, history has me doubting it.

        Remember the Target breach? Barely a blip in their earnings. Remember the Eqihax dumpster fire? Their earnings went up slightly. Remember the Home Depot breach? They are still doing fine.

        In fact, I have trouble naming one major company that got breached that has truly suffered much more than some bad PR, paid an insignificant fine (to them), maybe a down quarter, and had more than a few executives deploy their golden parachutes.

  5. Reading this absolutely made my week. I learned that basically all my phishing emails are zero day attacks and that Wipro’s corporate execs are heralds of honesty and integrity.

    Bottom line is “don’t piss off Brian Krebs.” But in all seriousness, I wonder where we would be if these sources hadn’t come forward.

  6. Thank you Brian for remaining fair and honest while being diligent with getting to the truth on this one. Wipro manages thousands of large companies IT infrastructure and this could equate to trillions of dollars in damages if the bad guys still have access. Think about it – thousands of banks and medical institutions use services like Wipro!
    Keep up the good work!

  7. Supply chain risk management is growing as a concern across all industries and government. Just because you as a company or government agency don’t contract with Wipro directly, it is likely that one of your key suppliers does. Does that change your perspective on the risk to your own mission or business? Perhaps it should.

  8. People I fear in order.

    Brian Krebs
    Jesus Christ
    Satan
    Chuck Norris

    • You forgot John Wick. 🙂

    • The first two on your list tend to treat people better who ‘fess up their sins. Wipro: heed that.

    • I know this was satire, but that drives me insane when people say stuff like that.

      Brian = journalist that writes security articles
      Jesus = died for our sins, was buried, and resurrected that we might have eternal life. All it takes is to believe in Him and trust in His death, burial, and resurrection (aka, the Gospel) to be saved.

      I’ll stick with fearing God over fearing man…

      • It’s ok to laugh, I did.

        God

        P.S. Anyone else have any new IOC’s to share? I’ve got 25,000 sheep to take care of and I’m sure one of them has strayed and clicked on something.

      • LMAO. So, you expect people to believe that God, an all powerful being, sent his son to earth so that we could torture and murder him in the most painful way possible, and in return, God would forgive all our other sins as thanks for murdering and torturing his only child?

        • We’re talking about the same dude who wiped out most of humanity and animals (except fish) because they annoyed him. Don’t expect too much rationality god 😉

  9. The Sunshine State

    With Wipro not telling the whole truth about the breach remember that is from a impoverished county like India , that has many scam call centers that employ people who are habitual lairs This doesn’t surprise me one bit that Wipro would not tell the news media the truth but rather cover up the facts because a good amount of people( not all ) in that country lack morals

    • Pardon, “the breach remember that is from a impoverished county like India”, no breaches in the richest then?

      And “who are habitual lairs”, “Wipro would not tell the news media the truth”, ” a good amount of people( not all ) in that country lack morals”. Are you kidding?

    • We can’t blame country here and comment. Because if few people tell lies and cheat, we can’t blame entire country or see in that perspective.
      In Developed Countries we see lot of Mass Shootings, But I never heard or recorded in India or developing countried except terrorist countried. SO every country will have its own problems. We can’t blame everyone for that. don’t want to drag here. Don’t judge people or country by looking at the title or cover page.

  10. I believe you meant to say ‘nit picks’, not ‘pick nits’ (not nit picking)!

    • I meant exactly what I said. The term is derived the activity of picking nits (the eggs of lice) from one’s hair, and to pick nits in a verbal sense means to make a big issue out of minor points.

    • Picking nits is what you are doing while nit picking.

      • Nit picking about the usage of the term nit picking…

        • Okay, okay, nit picked, now settle down.

          • I love how a good story brings out the perfectionist in everyone. No need for quibbling or to be hypercritical about the use of a term. To engage in fussy or pedantic fault-finding…..Sorry, I can’t, I just can’t. Who speaks like this?!?!

    • How many nits could a nit picker pick if a nit picker could pick nits?

  11. Mad props for calling into the Quarterly results call and asking a question! I love it.

  12. I echo the thanks Brian, it’s great to have you as ‘our’ source on important topics.

  13. Thanks for interesting articles!

    The third para start reads:

    “Wipro asked for several days to investigate the request and formulate a public comment.”

    – shouldn’t that be something like:

    “Wipro was asked for several days to investigate the request and formulate a public comment.”

  14. Great piece. So, who’s the retailer?

    • I’m guessing, no inside knowledge here but it’s Costco, CapGemini and Infosys.
      Look at some of the sub-domains created for xsecuremail.

      • thx mate, where did you see that?

        • Go to VT and search for xsecuremail.com and the results will show you domain information and under the observed subdomains section you’ll see these subdomains.

          I’m not saying they were targeted but subdomains using these companies names were used.

  15. India is a cesspool when it comes to cyber security. Almost 20 years ago a now former client(who was a medical transcription company) brought me in to do a security evaluation. I could write a book on all of the Stateside issues i found…but when i found they were transferring raw wav files over insecured ftp to their indian corporate side with no access controls or internal security…i told her it was going to go boom. She refused to fix anything and I went my own way. A couple of years later she calls me in a panic and says a doctor’s office got notified by two patients(one a minor male the other an adult female) that their entire medical files had been posted on pastebin. the doctor immediately informed(per HIPAA) the authorities and she knew she needed to find out how those got out there. It took me a hours of time to find out a disgruntled and fired employee in India took a copy of those two now transcribed medical jackets home on a usb thumbdrive. She then posted them on pastebin. I got them removed from pastebin..but the damage was done. The raid by the county, state, and federal officials that followed got me called to the nearest FBI office as I was the IT provider of record. Only the fact that I had made her sign a disclaimer acknowledging receipt of said report and she was declining all remediation kept me out of serious legal problems. There are more details but i do not wish to share them here.

  16. The IOC’s are terribly weak indicators and do not represent TTP’s.
    If they explain email subject, contents of email, contents of powershell scripts, lateral movement procedures I.e WMI, psexec, usage of service accounts. If mimikatz was used diskless via powershell what is the C&C repository, if mimikatz was used as an PE what was the file path etc… if Wipro was the island then the C&C iP addresses and DNS names could be irrelevant to clients as Wipro could have been used for lateral exflitration. File hashes can be changed.

  17. Thank you Brian for the IoCs. The zero-day that precipitated this might not be disclosed. However, the default action of file extensions such as ps1 are known to launch PowerShell. It’s hindsight to change the default action to open notepad now.

    • The default action on ps1 files in Windows 7 and higher is to open them in Notepad.

    • A better option is to use endpoint protection that includes script blocking that blocks all use of PS, VBS and batch scripts of any kind with exceptions made for specific scripts run from specific locations.

  18. Interesting to see the registration of the sites
    securemail[.]com – Newly registered domain. 1 month ago.
    wipro365[.]com – Newly registered domain. 25 days ago.
    microsoftonline-secure-login[.]com – expires 2019-05-18 (registered 11 months ago)
    secure-message[.]online – Blocked phish site
    encrypt-email[.]online – No details
    secured-mail[.]online – Phish – not yet blocked.
    internal-message[.]app – Blocked phish site
    encrypted-message[.]cloud – Newly registered domain. 28 days ago.

  19. But if we deny that there was really a “data breach” and claim it was just one employee who was phished then you can’t accuse us of mis-handling a data breach!!!

  20. Anon--ThisTime

    I’m ID’ed as Anon today, simply because I don’t want anyone to target me, just because I’m about to state that I can no longer pay much to attention being pwnd or hacked. Here’s the deal..

    I need to know what ACTION should be taken, if I’m an IT pro, or if perhaps I am one of the millions of consumers, of one of the thousands of attacks that are constantly occurring. I suggest that each article start with exactly who should really be paying close attention and what they should DO about it. Then it’s more a matter of wanting to spend the time to be better informed, further educated, or not.

    By now, I think we are all becoming numb to the breaches, unless it directly involves us as IT folks, CTO, CEO or some other responsible person for THAT breach or threatened problem. As an individual though, I think I’ve been pwned now 75-100 times. Of course I’m interested or I wouldn’t come here and read all the time. However, I feel to a certain extent like it is a waste of time, simply becuase there isn’t anything I can do about most discovered threats. To save time, recommend “who” should do “what”.

    • Anon. – It depends. What do you have of value? PCI, ePHI, PII, Intelectual Property, secrets that need to stay secret or people die, access to critical infrastructure, or access to other peoples data/systems? If you answered yes to any of these questions, you should be running a security programme at your company.

      If you (or anyone else) does not know what that means or where to start – check out this poster from SANS – https://www.sans.org/media/critical-security-controls/Poster_CIS-Security-Controls_2018.pdf

      Fast/Easy path would be NIST CSF as Program framework, CIS 20 Critical Security Controls as Controls Framework, CIS RAM as Risk Framework.

      Depending on the size and maturity of your company this is going to take a while and cost a fair bit of money as well as cooperation with your business users, app teams, infrastructure teams and actual backing from your executives and board of directors.

      Map what you are trying to protect (within your company or THROUGH your company), map how attackers typically go after those assets (Phish/repacked known malware/users running as admin -> powershell empire/mimikatz/credential reuse/lateral movement/bloodhound -> obtaining thing of value -> taking thing of value/begin pivoting to customer networks -> data egress).

      If you want the simple answer for this specific attack – (please no) then
      Good anti-phishing suite -> (ProofPoint PPS + TAP, Mimecast, Microsoft EOP + ATP) – maybe others
      Social Engineering/Phishing training of end users
      2FA/MFA for all user access from external
      2FA/MFA and jump boxes for all access to your clients/customers systems
      UBA (some sort of machine learning ML/AI for your user activity (Microsoft ATA, others)
      EDR Tool on endpoints (Carbon Black, Crowdstrike, Cylance, Cisco AMP, Palo Alto Trpas + XDR/Cortex)
      Good people looking at consoles daily
      Good incident response policy (practice it) – all 6 steps
      Forensics team or retainer
      Communication plan like Norsk Hydro – BE HONEST
      Take it SERIOUSLY if a 3rd party contacts you and says you are owned – dig in – get facts – communicate
      Don’t BS Brian Krebs when he calls and asks you.

  21. Happy talk that minimizes and/or does not acknowledge the situation, is the dominant M.O. with many of the Indian technologists I work with. Communicating bad news is a problem for them on every level. Personally, I think it’s cultural.

    • I had the same exact experience dealing with Indian developers. Even when telling me how far along they were, they would lie and say it was almost done when it was nowhere near complete. Had that experience with many different developers and finally stopped using them.

      • Agreed. I have worked with Indian and Pakistani contractors (individually and as teams) who have reported roses when their projects we taking down around their ears. I have collaborated on months-long prototype projects that had their support until presentation time to your management; at which time they spoke out against the approach and methodology for the first time.

        I’m told it’s a cultural thing but it’s inexcusable.

        Document every exchange and watch your back.

        • If you can find it, pick up a book called “Speaking of India” — really interesting read, as it details the many reasons (mostly cultural) that explain these observed behaviors of Indian nationals.
          I was particularly taken with the section about how “they cannot say ‘no'” — culturally everything must be “doable” and they can never admit that they are challenged beyond their ability to deliver — right up to (and beyond) the moment it all falls over the edge of the cliff.

    • You beat me to it! For years, every time I gained support for something I was doing and it was an Indian contractor that was handling it, I noticed that when I related that they are not answering my concerns or problems, they went into denial mode – I think it was just that they refused to admit to a boss that they didn’t know how to solve the problem. They are very smart people, and I like communicating with them, but I generally have to raise total hell to get another tech to address my problems, because they just don’t tell their managers there is a problem that can’t be solved with the knowledge of the tech I am dealing with. I would end up climbing the ladder slowly trying to find someone that actually understood the problem and could deal with it.

      Finally it would never fail – they would connect me to someone in the US to finally get my concerns solved, and it took just fifteen minutes to finally get a solution. It is very frustrating, but I really think the southwestern asian mind is simply geared that way. It is kind of like am ostrich with its head in the ground to try and ignore the fact that anything is actually going haywire.

  22. This is very interesting facts that cyber security is something required specialized knowledge and training to quickly respond with appropriate info rather than jumping around that actually creates confusion around the industry as such.

  23. Cheers, Brian, and thanks for the elegantly understated *reportage*. You hold to the traditional fourth estate standards better than anybody else I read. Grats!
    -30-

  24. I love the music that was added for the Wipro executive’s response.

    Does anyone know which US based service providers use Wipro?

    • I just said the same thing then saw your response. I agree that was funny.

    • It reminded me of the great song-and-dance routine of Charles Durning as the Governor in “The Best Little Whorehouse in Texas” when confronted by facts to deflect attentions from just how many powerful and well-connected men (including the Gov) in Texas were beneficiaries of its services….

  25. Thanks for the story Brian… I worked for a major retailer that outsourced part of their finance dept to Wipro. During implementation we could never get someone on the call that actually knew their requirements for connectivity and to document it. It was so painful. They didn’t know what servers needed connectivity, what protocols they used, firewall ports needed, etc. We had dedicated circuits in place but had to give them user VPN access at one point because their data centre flooded and everyone was working from home and all automation stopped as they had no contingency plan. We put every security control we could think of to protect us as we had little faith in their security.

  26. That background music on the twitter post says it all. Too funny!

  27. Looking at xsecuremail.com subdomains, I noticed Costco, Infosys and CapGemini. I’m assuming these companies were hit?

    Possibly Phishing emails containing some sort of embedded URL directing users to reset their passwords?

    There are a few .edu’a mentioned from Mexico as well.

  28. It is the customer who would have been impacted a lot if any stolen data is exposed in internet . Wipro without strengthening its own security offers security services to customers , a detailed threat modeling should have helped them in advance I done properly .Imagine the customers who would be worrying now what kind of their data is stolen and would appear in future exposed by hackers .Phishing Attacks are very dangerous though much ignored …always have a built in security model than bolting some thing and have young dynamic security experts decide on security management . I see many leaders who are not even CISSP certified leading security practices and this is what happens

  29. Well this is what happens when your priority is rushing and winning business instead of focusing on security . Once such security incident is enough to put down the whole reputation built over years . Have a strong security investment and protect your customers first . Indian service companies are more good in outsourcing cheap labour but when it comes to security such incidents have been noticed many in recent time . And Wipro offers managed security services as well when their own security isn’t protected and lead to breach putting customer data at stake ….security should be the first priority

  30. I don’t see this much different then being an ATOS customer after the Winter Olympic Games incident. While ATOS was attempting to sell managed security services, they refused to answer any questions regarding this incident to customers instead continued to downplay the incident.