Wipro Attack: The Latest DevelopmentsOutsourcer Enlists Help With Investigation, Denies It's Migrating to New Email Platform
Indian IT outsourcing giant Wipro says it's working with several partners to expedite the investigation into abnormal activities on some of its employee accounts as a result of an advanced phishing campaign.
See Also: A CISO’s Guide to Defender Alignment
This is in addition to the earlier announced hiring of an independent forensics firm, the company tells Information Security Media Group.
"We are working with multiple partners who have an understanding of our operations, which we believe will help expedite the investigation process," Wipro says. "We continue to monitor our enterprise infrastructure at a heightened level of alertness."
Last week, the KrebsOnSecurity blog reported that India's third-largest IT outsourcing company was dealing with a multimonth intrusion and its systems were being used as jumping-off points for digital phishing expeditions targeting the systems of a least a dozen Wipro customers.
Wipro, however, is yet to clarify whether any of its client data has been compromised.
"As a responsible partner and in line with our standard protocol, we immediately and proactively informed the few customers with whom these employees [whose email accounts were targeted] were engaged and are in constant touch with our customers," the company says.
KrebsOnSecurity reports that the attackers responsible for launching phishing campaigns targeting Wipro also appear to have targeted a number of other competing outsourcers, including Infosys and Cognizant.
In a statement, Cognizant says: "While our review remains ongoing, we have seen no indication to date that any client data was compromised. It is not unusual for a large company like Cognizant to be the target of spear phishing attempts such as this. The integrity of our systems and our clients' systems is of paramount importance to Cognizant. We continuously monitor, update and strengthen our systems against unauthorized access and have put additional protocols in place related to this specific industry-wide incident."
Infosys also says that it has not observed any breach of its network. "This has been ascertained through a thorough analysis of the indicators of compromise that we received from our threat intelligence partners," the company says in a statement.
Infosys says it's working with its threat intelligence partners to get more information on attack vectors and threat actors to further strengthen its IT and cybersecurity controls.
KrebsOnSecurity also reported that Wipro was trying to migrate to a new email platform. But Wipro says that report is inaccurate.
"Rumors that Wipro was trying to migrate to a new e-mail platform are not true," the company states.
Wipro considers the phishing campaign to be a zero-day attack. "Based on our interim investigation, we shared the relevant information on the zero-day attack with our anti-virus provider and they have released the necessary signatures for us."
Sizing Up Wipro's Response
Some security experts criticized Wipro for taking two days to acknowledge the security incident after the KrebsOnSecurity report and then providing only limited information. (see: Learning From Wipro, JustDial Post-Breach Mistakes).
Who will Secure Who claim to Secure Others. This is what comes to my mind when I think of #cyberattack on #Wipro. Now that other IT companies are named too I feel #CyberSecurity has just become tool based vendor driven service industry with NO Security in Philosophy#news #media— Adv. Prashant Mali (@CyberMahaGuru) April 20, 2019
But others are now saying that the company acknowledged the problem relatively quickly.
"Wipro has been honest in declaring the breach," says L.S. Subramanian, an independent information technology adviser and analyst. "Many global companies do not announce similar incidents immediately but sometimes even wait for two years after the incident. I see no impact from Wipro's customers, but rather increased trust and appreciation of their transparency."
Subhajit Deb, CISO at Dr. Reddy's Laboratories, a pharma company, adds: "Wipro has taken a lot of flak unnecessarily. It takes a lot of courage to come back and accept that yes there has been an attack. Having said that, business email compromise and phishing attacks is a real threat, and there is no control in the world which is 100 percent foolproof. So you can have an anti-phishing filter and a behavioral analysis detection tool, but end of the day, one of the gullible users will still be tricked to give away important credentials or they will end up clicking on a malicious link."
Some security experts suggest that Wipro was one of many organizations targeted by the same criminal organization.
"I believe that the criminal organization which targeted Wipro has been targeting various organizations on a regular basis," Sachin Raste, a security researcher at eScan, an anti-virus firm, tells ISMG. "When we took a close look at Wipro's indicators of compromise as shared by Krebs, we came across various sub-domains which were used for carrying out the phishing attacks."
Capgemini, a French technology consulting firm, says that its internal security operation center detected and monitored suspicious activity that showed similar patterns to the attack against Wipro, the KrebsOnSecurity blog reports.
Fighting Against Phishing
Forcepoint says criminals have become increasingly sophisticated. "Increasingly sophisticated attacks are being launched on enterprises and government agencies to gain access to critical data and intellectual property. And, traditional security approaches for combating such cyberattacks are no longer effective in today's digital world," says Surendra Singh, senior director and country head, Forcepoint.
To help mitigate the risk of falling victim to a phishing attack, security practitioners say organizations need to continuously educate employees about how to recognize the attacks. They also need to ensure that they implement continuous vulnerability assessment programs, they advise.
"There are solutions in the market which leverage machine learning to know if there is an attack happening in one of your third parties and how it correlates to your organization," Deb of Dr. Reddy's Laboratories points out. "It is a good investment to make, but there is no silver bullet."
Organizations also need to prepare incident management playbooks and practice using them in simulated events, Deb says.