Wipro Hack Snags At Least 23 Workers, Breached Systems Still Being Found: Report

The adversaries were believed to be using ConnectWise Control on the hacked systems to connect remotely to Wipro client systems, which were then used to obtain further access into Wipro customer networks, KrebsOnSecurity reported.


Two March phishing campaigns against Wipro workers resulted in the compromise of at least 23 employee accounts and access to customer networks, according to KrebsOnSecurity.

The Bangaluru, India-based IT outsourcing giant is still discovering newly-hacked systems, a source close to the investigation told the publication. KrebsOnSecurity said this suggests that Wipro's systems are still compromised, and that additional hacked endpoints may still be undiscovered within the company.

The vendor investigating the incident has so far found that more than 100 Wipro endpoints were seeded with ConnectWise Control (formerly ScreenConnect), a remote support and remote access tool, KrebsOnSecurity reported.

Sponsored post

[Related: 10 Things IT Solution Providers Must Do To Avoid Becoming The Next Wipro]

The adversaries were believed to be using ConnectWise Control on the hacked Wipro systems to connect remotely to Wipro client systems, KrebsOnSecurity stated. From there, investigators found that the hackers capitalized on their position to obtain further access into Wipro customer networks.

Products like ConnectWise Control are typically used by IT departments to improve efficiency by remotely fixing issues and applying updates, ConnectWise Chief Product Officer Jeff Bishop said in a statement. However, Bishop said threat actors can maliciously take advantage of remote control products to exploit a consumer or company through misrepresentation, network vulnerabilities, or phishing.

“We work diligently to prevent the misuse of our products in these scenarios through online training, educational material, and by implementing AI to help us look for bad actors in our community,” Bishop said. “When detected or reported, we will work with the appropriate authorities to assist them to take action against these malicious actors.”

Wipro didn’t immediately respond to a request for comment. Wipro's stock is down 3.2 percent to $4.25 per share since KrebsOnSecurity first broke the news late Monday afternoon.

Investigators have additionally founded that at least one of Wipro's compromised endpoints was attacked with Mimikatz, a tool that allows hackers to gain access to account login and password information that's being temporarily stored in memory.

The adversary responsible for breaching Wipro appears to be after anything they can turn into cash relatively quickly, KrebsOnSecurity reported. One large retailer and Wipro customer told KrebsOnSecurity that the threat actors who broke into Wipro used their access to perpetrate gift card fraud at the retailer's stores.

KrebsOnSecurity initially reported Monday that Wipro was believed to be dealing with a multi-month intrusion from an assumed state-backed hacker. However, nation-state actors like China, Russia and Iran tend to be more focused on extracting intellectual property or strategic assets from end clients rather than promptly monetizing the breach.

One major U.S. company told KrebsOnSecurity that they opted to sever all online access to Wipro's employees within days of discovering that these Wipro accounts were being used to target the operations of his business. The organization remains a Wipro partner for now.

Wipro said it has hired an outside digital forensics firm to investigate the breach further. Wipro also said it was hit by a 'zero-day' attack, though the company hasn't publicly shared any details about how the attack appears to work.

The company said it has shared relevant information about the 'zero-day' with its anti-virus provider so that they can release the necessary signatures for Wipro.

The reported details of the Wipro hack bear some similarities to an August 2018 attack against Norwegian business software provider Visma by Chinese hacking group APT10 as part the multiyear "Operation Cloud Hopper" campaign against 45 technology companies and U.S. government agencies, as well as several MSPs.

In that breach, APT10 used Citrix Systems remote desktop credentials stolen from a Visma employee to access the company's network. Two weeks later, the hackers capitalized on their access in Visma's network to move laterally and deploy Trochilus malware at two separate access points.

APT10 also used credentials stolen during the attack to access and copy a file containing data for Visma's corporate network, according to Recorded Future and Rapid7 research. The stolen data was then removed and uploaded to a Dropbox account, they reported.