WiPro Breach Highlights A Need for Zero Trust Remote Access
On the morning of Dec. 19, 2013, the executive team of Target Stores should have been focused on getting the giant US-based retailer through the holiday shopping season, followed by the single largest day of merchandise returns for unwanted gifts. Instead of forecasting record profits, they were preparing to give its first public statements that their Point of Sales (PoS) systems had been compromised and that credit and debit card data was improperly accessed. The PR nightmare and over 400 million dollar breach were caused by an HVAC vendor who got their VPN credentials stolen and attackers used them to establish a connection inside of Target’s networks, eventually pivoting to the Point of Sales systems. Five and a half years later, companies are still vulnerable to this type of attack.
Earlier this week, Indian outsourcing company Wipro disclosed they had been the victim of a broader campaign attempting to infiltrate consulting and managed outsourced IT firms in an attempt to perpetuate gift card fraud. Attackers registered convincing looking domains for secure e-mail services and sent phishing links to employees of the targeted firms in the hopes to harvest credentials. According to security reporter Brian Krebs, research into the phishing domains leads back to a single hosting provider in Russia known to host malicious websites. Other subdomains registered to that hosting provider provide a clear view of the targets of this attack campaign:
After successfully phishing several employees at Wipro, attackers embedded themselves deep into Wipro’s systems and established persistent access using remote access tools such as ScreenConnect. This access allowed the attackers to remotely access Wipro systems even if the phished employees changed their passwords. Once embedded, attackers used their privileged access to launch attacks on Wipro’s customers from within their internal network.
Typical network security devices such as firewalls, IPS, and VPN concentrators share similarities like a coconut, hard on the outside and soft on the inside. These appliances typically block attacks from external networks and place a higher level of trust from traffic on the internal network. Many outsource IT service providers and managed security services have direct access into their customers’ networks, so they are prime targets for attack. If an adversary wishes to attack a specific hardened target, they can target a softer target that has access to the hardened target’s network. In the Target breach, attackers did not attack Target itself; they gained access through a third-party contractor. Initial forensic data from the Wipro breach indicates that the attackers used similar tools, tactics, and procedures seen in a 2016 and 2017 attack against gift card management platform Maritz.
In 2016 and 2017, Maritz was targeted for attack through IT outsourcing firm Cognizant. Maritz was the victim of a spear phishing campaign which allowed attackers to gain persistent access within the network. After performing reconnaissance work, the attackers located a shared drive containing a database of valid gift card numbers and their PIN codes. The gift cards amounts were drained through the use of mules or sold through gift card reseller sites. By the time Maritz noticed something was wrong, over $11 million was lost. Maritz sued Cognizant to recover the costs associated with the breach.
Reviewing the list of targeted organizations puts together a picture of organizations that would be useful for compromising to perpetuate gift card fraud. Green Dot is the world’s largest prepaid card vendor. In addition to Wipro, Cognizant, Avanade, and Cap Gemini are some of the world’s most extensive IT outsourcing and consulting firms with client lists containing some of the biggest names in retail. On the one hand, the security industry should be thankful that gift card fraud was the only motive of the attackers. Breaching Wipro and gaining internal access to their customers’ systems could have provided an attack opportunity with much more devastating effects such as ransomware and other sensitive data theft. Wipro has been mostly silent about the breach, but there is one clear message for the security industry: zero trust remote access is no longer optional; it is required.
Since Wipro is managing the network and security infrastructure of its customers, granting Wipro access to its customers’ systems makes business sense. However, the level of access that is required for Wipro employees to perform their duties will vary greatly. Organizations fall into one of two categories: those that know they have been breached and those who do not yet know they have been breached. Applying a zero trust model to remote and internal access would significantly limit exposure in the event of a breach. Multi-factor authentication can be bypassed at scale, but is still better than a single factor. Zero trust share similarities with an avocado; soft perimeter with a hard interior. Even after organizations get breached, phished credentials would only be able to access applications explicitly granted. What is also of note is that according to VirusTotal, most AV vendors have still not classified the phishing URLs are malicious. Taking a defense in depth approach with identity and zero trust access will significantly limit the impact of a breach.