Security Week 17: Supply Chain Attacks

In early April, we discussed the ShadowHammer attack on Asus laptops as an example of a malicious campaign using a chain of suppliers. Attacks on the supply chain are of particular interest to researchers and a particular danger to the business precisely because they compromise trusted channels of communication. Buying a computer that is somehow already infected, hacking a subcontractor with access to the client’s corporate resources, distributing an infected version of the software from the official developer’s website are typical examples of an attack on the supplier chain.

Even more serious may be the problem when the victim is a company that provides you with services of remote maintenance of IT infrastructure or provides services for software development and implementation of IT systems. Outsourcing such tasks to third-party organizations is a common practice. Last week it became known about the attack on the Indian company Wipro, a major supplier of IT-services. First, freelance journalist Brian Krebs wrote about the compromising of the corporate network of Wipro, and then they confirmed the information in the company itself ( news , Brian's article ).

Wipro is a very large supplier of IT services with a turnover of $ 8 billion a year and tens of thousands of customers around the world, including reputable companies and government agencies. The number of employees exceeds 170 thousand. Examples of projects mentioned in the media: the implementation of an ERP system, an update of the infrastructure for processing medical insurance policies, the introduction of customer support systems. Sophisticated projects of this level require wide access of company representatives to the corporate network of clients.

It is not clear what reliably happened in the company in March 2019: journalist Brian Krebs is based on anonymous sources on the side of Wipro's clients, and the company does not disclose details in its statements. Except for one: Phishing has become the initial method of penetration into the company's corporate network. Presumably, the attackers managed to gain access to the computer of one of the company's employees, which was then used to attack other employees. To remotely control end devices, legitimate ScreenConnect software was used — according to a source who participated in the investigation, it was found on hundreds of computers that had access to both the Wipro internal network and the infrastructure of the company's clients. The utility Mimikatz, a freeware program for extracting passwords on computers running Windows, was also used.
')
But this is according to "anonymous" sources. Officially, in a comment to the India Times, representatives of Wipro only acknowledged the fact of a successful phishing attack and reported hiring independent experts to conduct an investigation. Later, during negotiations with investors (according to Krebs), a company representative qualified the incident as a “zero day attack”.

Sources of Krebs hint that there was nothing difficult in this attack. Quickly enough (in a few weeks), it was tracked down due to the fact that attackers began to use the newly gained access to the company's infrastructure for fraud with gift cards of retail networks. People with serious intentions, not spending on such trifles, could remain undetected much longer.

At least in the public field, Wipro’s reaction to the incident was, to put it mildly, not ideal: they did not recognize the problem for a long time, did not provide any details of the attack, made opposite statements (either phishing, or zero-dey). The maximum possible transparency in disclosing information about cyber incidents becomes not only an ethical norm for business, but is also gradually becoming a legislative requirement in many countries. Anyway, at least one client of the company preferred to block access to their own IT systems to all Wipro employees until the investigation was completed. The Indian organization itself is working on the introduction of more secure corporate email.

With regard to supply chain attacks, a detailed description of the attack and a sober assessment of the damage caused are particularly important. Not to write about it to the media, but for the clients of the affected company, it is important to understand what happened and what steps should be taken to protect themselves. Fresh research shows that in about half the cases, attackers try to use the hacked infrastructure of one company to attack other organizations.


To protect against such attacks, it is worth re-assessing the degree of trust to third-party service providers. A case in point is the incident with Microsoft's postal services last week ( news ). The company preventively sent out recommendations to change the password of some users of the mail services Outloook, Hotmail and MSN. As it turned out, the attackers hacked the account of one of the counterparties that provide technical support services to users. Such counterparties do not have access to mailbox passwords, but can view some of the content - message subjects, addresses of respondents, lists of mail folders. In some cases, according to the Motherboard website, attackers could gain access to the contents of the letters. Although the attacker's access was blocked, it is impossible to estimate how much data was in their hands and how it will be used in the future.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.