Tag Archives: Wipro

More Info on the Wipro Hack

Last week, I wrote about the Wipro hack (if you didn’t see that post, click on the search box and enter Wipro).  While Wipro is being pretty close-mouthed about what happened due to the inevitable lawsuits, SLA complaints and even claims of breached contracts, it isn’t stopping the media from reporting on it.

In fact, Wipro would probably have been better off addressing the issue rather than attempting, unsuccessfully, to stonewall the media.

When Brian Krebs, who was the first to report on this, reached out Wipro for a comment, they took several days and then came back with a non-answer that said how wonderful their security was.

Apparently their incident response program didn’t include how to deal with the media.

After Brian’s story broke, Wipro decided to talk to an (perhaps more friendly) Indian media outlet and reported that they had a breach.  They did not reach out to Brian.

The next day they had a quarterly investor conference call (bad timing for them) and their CEO said that many of Brian’s details were in error.  They basically said that the issue was handled.

Brian then asked Wipro’s CEO what parts of the story were in error, instead of responding, he read some PR statement about their response to the incident.

Note that if you are going to call a reporter a liar, you probably ought to be able to back that up, because the reporter is likely to call you out on it otherwise. 

The CEO did agree to have a one on one call with Brian, a statement that another reporter recorded and posted on twitter.

During the follow up call, the CEO took issue with Brian’s statement that the incident lasted months.  When Brian asked when it did start, the CEO said he didn’t know but surely it wasn’t months.

It would seem that if you are going to put your CEO on a one on one call with a reporter, you probably ought to make sure that the CEO is prepared.

The CEO also claimed that the company was hit by a zero-day attack.  Given that they are a very large IT services firm, that doesn’t seem like a great defense.  Certainly, no one is bulletproof, but you need evidence.

When asked about the details of the zero-day, they have been quiet other than to say that they shared the details with their anti-virus vendor- and apparently no one else.

That is very unusual for zero-days.  Generally, if you think you have uncovered something new, you want to let others know so that they don’t get hit by the same attack.

In reality, they probably meant, according to Brian, that zero-day in this context means an attack that their anti-virus software didn’t catch. Unfortunately, nowadays, that is not much of a surprise.  Anti-virus software, unless it is very special (and there are a few such products but not any of the typical mainstream ones) it will only catch basic attacks.

A few hours after the call, Brian heard from one of Wipro’s customers in the US.  They decided to sever all electronic communications with Wipro as a result of the attack since Wipro was found to be attacking this customer.  This is the exact right thing to do.  Disconnect now and then figure out IF and WHEN you should reconnect.  This should only happen after the customer is sure they are safe.

A large retailer who is a Wipro customer said that the attackers used the compromise to execute a gift card fraud attack.  Something that would generate cash right away.

India has no laws requiring a company to disclose a breach, so anyone who is outsourcing to India (and other countries) needs to make sure that contractually the outsourcer must report and report within, say, 24 hours, any cyber incident to the customer.  That way, if it doesn’t happen, it is a breach of contract that be dealt with in any number of ways.  Source: Brian Krebs.

Since this story won’t go away, Brian reported the next day that not only was Wipro attacked, but other Indian outsourcers were attacked.  Specifically, Infosys and Cognizant were also attacked.

It appears that some of the companies the hackers were after were Sears, Green Dot (the prepaid credit card company), Evalon (credit card processor), Rackspace, Avanade, Capgemini and others.  Looking at this list, it is clear the attackers want fast money (Sears) but also more victims by attacking a bunch of outsourcers like Rackspace, Avanade and Capgemini.

Sourcces are saying that the attack may have been initiated by hacking a remote desktop software, Screen Connect.  That is consistent with an alert I got from Homeland Security over the weekend that said that hackers were using remote access software to perpetrate attacks and mentioned Screen Connect by name.  Possibly that is a coincidence, but I doubt it due to the timing.

Some of the companies mentioned confirmed the attack in this additional post of Brian’s, here.

Bottom line is that when it comes to breaches, stonewalling DOES NOT WORK. Period.  Plan your response long before you are going to need it.    That is just smart.  The media will keep reporting on it until you either deal with the core issues or look like a bumbling idiot,  Wipro opted for the second in my opinion.


Indian BPO Vendor Wipro Hacked

Brian Krebs reported that Indian mega-outsourcer Wipro was hacked.  Apparently Wipro’s systems were being used to launch attacks against Wipro’s customers.

Wipro’s PR police said that they are investigating.  I am sure that they are.

Given that Wipro’s customers likely trust Wipro, it is a good launchpad for attacks against their customers.

When Brian (Krebs) reached out to Wipro communications head, he said that he was out of town and needed a few days to investigate.  Really?

Wipro finally responded with this:

“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

Somehow they thought this was a good response to the question about whether they had been hacked.  Source: Brian Krebs.

Now Wipro is confirming that, in spite of their wonderful “multilayer security system”, they were, in fact, hacked.

They are saying “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign…”  All it takes to target your customer is ONE compromised account.

I am glad that they fell for an advanced attack and not just a plain vanilla one.  I am sure that you have noticed that the definition of an advanced attack is any attack that someone fell for.

As a customer of an outsourcer, you have a trust relationship with that company,  They have your data and probably access to your systems.  You are much less likely to question an email received from your outsource vendor as a potential phishing attack.

I know I probably sound like a broken record, but ….

Supply chain risk!

Vendor cyber risk management!

The hackers used Wipro to attack a number of their customers.

Wipro is certainly not the first BPO to be hacked and likely not the last, so you as a customer need to make sure that your vendors have an acceptable cyber risk management program.  This includes managing the risk of your vendor’s vendors. 

What they have not said yet (and I am sure that it will come out) is which of Wipro’s customers the attackers went after and were those attacks successful.  I bet that at least some of them were.   Source: Economic Times of India.