Supply chain attacks have been in the news recently due to suspicions of nation-state agencies planting surveillance chips at the hardware manufacturing level. While these spy tales are fascinating, they also are not the most immediate threat that the average business faces from their supply chain. As the March attack on major IT outsourcing firm Wipro Ltd. illustrates, vulnerable IT service providers are much more likely to create an entry point into a business network.
The Wipro supply chain attack
Wipro is one of the world’s largest IT outsourcing companies. Their clients number in the tens of thousands, including some of the biggest names in tech, aerospace, banking and oil.
The attack on Wipro is believed to have unfolded over several months and targeted about a dozen of Wipro’s clients. As is most common in supply chain attacks, the initial entry point was a barrage of phishing emails that ensnared over 20 Wipro employee accounts. The identity of the attackers is still unknown, but they are believed to be some sort of a professional criminal group with advanced capabilities.
The attackers made efforts to stay below detection while exfiltrating data from the Wipro clients that they managed to compromise. Their focus appeared to be on gift card fraud, which allows cyber criminals to convert privileged access into cash-in-hand relatively quickly and in a way that is difficult to trace after the fact.
This advanced phishing campaign was discovered only after Wipro’s clients reported that they were seeing malicious activity from Wipro’s network. Wipro was widely criticized for their response to the breach, in which they waited for several days before answering questions from the media and then released a number of inaccurate details mischaracterizing the supply chain attack as less serious than it actually was.
Brian Krebs of Krebs on Security reports that the initial compromise took place from March 16 to March 19, during which time 23 Wipro employees were successfully phished. The attackers used these accounts to install the remote access tool ScreenConnect (an older program but still commonly used) at numerous Wipro endpoints. ScreenConnect was then used as a means of access to Wipro client systems. A password logging tool was also discovered on at least one endpoint.
Ongoing concerns about Wipro
Wipro may have been seen by attackers as a uniquely appealing target due to their present security posture. The attacks were close on the heels of new CEO Sridhar Govardhan declaring that “security cannot be a show stopper for business priorities” in a February interview. The company has also had some high-profile breach incidents recently, the most significant of which was some rogue customer service employees stealing the data of 21,000 customers and using it to conduct phishing attacks by phone.
Lessons from the Wipro breach
Symantec reported that supply chain attack incidents went up by 78% in 2018, and a recent report by endpoint security firm Carbon Black estimates that 50% of all attacks are now targeting supply chains. That’s not to imply that this is a new phenomenon. Vendor compromise was the key to the high-profile attacks on Target, TicketMaster, Experian and British Airways among others.
Businesses should already be screening the security policies and practices of vendors before going into business with them, but the Wipro incident illustrates the need to continually monitor their security stance and cyber readiness over the lifetime of the relationship.
As of now, the attack is still under investigation so it’s possible that the number of compromised companies and scope of stolen data could increase. Wipro’s attitude toward network security and their response to the supply chain attack leaves a great deal of room for concern for any companies that are contracting with them, even if they are not among the initial dozen or so that appear to have experienced a breach. These businesses now have to wonder what sort of unencrypted information might have been stored on the network by Wipro employees or passed around in internal emails.
In terms of emergency response, it would be prudent for Wipro customers to push a full mandatory password change and replacement of certificates across the organization if there are any signs of potentially abnormal activity. Krebs on Security has also been tracking the indicators of compromise involved with this attack and has provided a list of suspected phishing domains that should be immediately blocked. Companies that see signs of intrusion may want to employ a forensic firm to assist with remedial steps in restoring security and to continue to monitor systems as this case is investigated.
The missteps seen in this giant Wipro breach can be used as points of review of both potential and existing vendors and their likelihood of experiencing a supply chain attack at some point. The statement from Wipro’s CEO that cyber security was essentially beneath all other business priorities in terms of budget allotment should have been a major red flag, as was the ability of rogue call center staff to access and exfiltrate sensitive personal information. This latest incident should prompt any business contracting with Wipro to not only take a very close and critical look at that relationship, but also at any other vendors that are showing similarly worrying signs of potential security failure.
Proactive local defense against supply chain attacks begins with a risk management program that includes supply chain security and vendor policy considerations. Vendor responsibilities should be spelled out clearly in contracts, and organizations should give themselves some ability to periodically audit vendor security. Vendor responsibilities at the end of a contract also need to be considered, as they will likely retain some sort of sensitive information unless compelled to ensure it is removed. Even the smaller vendors should be subject to these requirements if they are being sent or have access to sensitive information, or have some sort of a foothold inside of your network.
While a robust contract of this nature is the ideal situation, the hard truth is that smaller companies may not have the leverage or opportunity to hold vendors to this level of responsibility. If that is the case for your organization, it may be wise to employ a third-party managed service that independently evaluates and rates vendor cybersecurity.