The Wipro Breach: Why Managed Service Providers Are At Risk
Solution providers are shoring up their defenses to thwart the alarming rise in foreign-government-sponsored hackers seeking to infiltrate them.
Wipro finds itself on a list that no company—especially one responsible for helping customers safeguard their prized assets—wants to appear on: cybersecurity breach victim.
The Bengaluru, India-based solution provider acknowledged Tuesday that "a few" of its employee accounts had been accessed during an advanced phishing campaign. The admission came less than a day after KrebsOnSecurity reported that Wipro had fallen prey to a multi-month intrusion from an "assumed state-sponsored attacker."
After being hacked, Wipro's systems were used for attacks targeting at least a dozen of the IT outsourcing giant's customers, according to the KrebsOnSecurity report. Breached Wipro employee accounts have been isolated, and the "handful" of Wipro customers found to be at risk have been notified, according to the company.
Wipro said it's also leveraging advanced threat mechanics for continued monitoring of customer networks.
The company didn't respond to questions about who is believed to have carried out the attack.
"We were able to detect and respond to this quite fast and we've had some customers appreciate it," Wipro CEO Abidali Neemuchwala told investors during a conference call Tuesday. "Since it is out in the media, we are talking to all the customers to avoid their anxiety."
Wipro's customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro's network, according to KrebsOnSecurity. File folders found in the intruder's back-end infrastructure were named after various Wipro clients, one source told the security blog.
The company is in the process of building out a new private email network because the intruders were believed to have compromised the company's corporate email system for quite some time, another source told KrebsOnSecurity.
Wipro is not alone.
After tracking an alarming increase in the number of private-sector business that have been attacked by foreign intelligence entities, the National Counterintelligence and Security Center in January launched a public campaign to educate businesses on the scope and scale of the risk.
Classifying the attacks as being both persistent and aggressive, the agency’s public campaign pointed to corporate supply chains as one of the primary targets, wherein adversaries attack a business’ suppliers—including managed service providers and technology vendors—to gain access to that business’ corporate network.
As evidence, the National Counterintelligence and Security Center spotlighted the December indictment of cyber actors “associated with China’s Ministry of State Security” for an attack aimed at more than 45 U.S. technology companies and U.S. government agencies, as well as several MSPs.
“Know the Risk, Raise Your Shield,” the National Counterintelligence Security Center’s public service campaign warned. In short, it said, get ready.
It’s a warning that many solution providers are heeding, and so are their customers.
“The more mature clients are now looking at us as a potential entry point into their own corporation,” said Mathew Newfield, chief information security officer at $2.8 billion solution provider Unisys. “They need to be sure beyond the shadow of a doubt that we have controls and programs in place that ensure we’re not going to be their weak link.”
That’s why Newfield expects 20 percent of the Blue Bell, Pa.-based solution provider’s customers this year to conduct in-person validations of Unisys’ infrastructure. The one- to two-day site visits allow customers to actually view the firewall rule sets, security and information and event management (SIEM) logs and biometric data in the company’s console to ensure that it matches with written policies and procedures, according to Newfield.
Solution providers are no strangers to security threats. But knowing that some of their brethren MSPs were squarely in the sights of advanced persistent threat (APT) groups such as APT10—the group allegedly sponsored by China that was tied to the two hackers indicted in December—is chilling.
The APT10 attack has MSPs and solution providers of all stripes considering big security investments to shore up their defenses against this new threat: hackers backed by foreign governments looking to grab their customers’ trade secrets. MSPs are, in effect, being viewed by these well-funded hackers as an easy gateway to get a leg up for their countries in the hyper-competitive global marketplace.
Being breached is damaging to the brand of any business, but the reputation hit for a hacked MSP or managed security service provider (MSSP) would be “exponentially worse,” especially if the company was the vehicle used for an attack on its entire customer base, said Brian Hussey, vice president of cyber threat detection and response for SpiderLabs, the research and ethical hacking arm of Trustwave, an MSSP based in Chicago.
Hussey characterized it as one of the very few threats in the world that could truly shut down an organization.
“A breach is bad for anyone,” Hussey said. “But if you’re used as an avenue to breach your clients, you should expect clients to call the next day and terminate their contracts. The level of impact could be business-ending.”
One of the targets of APT10’s multiyear “Operation Cloud Hopper” campaign was $1 billion Norwegian business software provider Visma, a company that provides and manages cloud-based accounting, ERP and financial management applications.
APT10 first used Citrix Systems remote desktop credentials stolen from a Visma employee to access the company’s network on Aug. 17, 2018, and then returned repeatedly over the following two weeks, according to an analysis by threat intelligence vendor Recorded Future. It’s unclear how the credentials initially were compromised, Somerville, Mass.-based Recorded Future said.
The situation escalated on Aug. 30, 2018, when APT10 capitalized on its access in Visma’s network to move laterally and deploy Trochilus malware at two separate access points. This is difficult to spot and made it possible for APT10 to execute malicious activities remotely.
APT10 used credentials stolen during the attack to access and copy a file containing data for Visma’s corporate network. The stolen data was then removed and uploaded to a Dropbox account, according to Recorded Future and Rapid7 research.
“Visma sees evidence of similar attempts against their systems quite often, but since this one was successful in stealing something and was quite advanced, they want to put out a warning,” Recorded Future said.
Visma declined to comment beyond the report.
While Visma was the only company to voluntarily identify itself as an attack victim, Reuters reported that the managed services businesses of Hewlett Packard Enterprise and IBM were also among the entities breached by the Chinese hackers in the Operation Cloud Hopper attack. IBM declined to comment for this story, while HPE—which divested that part of its business in 2017 as part of spin-in merger to form DXC Technology—didn’t respond to requests for comment. DXC has also declined requests to comment on the reported attack.
The massive campaign against IT firms ultimately led to U.S. Department of Justice indictments against Chinese nationals Zhu Hua and Zhang Shilong in December 2018 for computer hacking, conspiracy to commit wire fraud and aggravated identity theft. Since no extradition treaty exists between China and the U.S., Zhu and Zhang are unlikely to ever see the inside of an American courtroom.
The indictments also are unlikely to deter hackers from China or elsewhere from going after MSPs, MSSPs or other types of solution providers in the future, threat researchers told CRN. If anything, APT10’s attacks underscore just how much value there is in taking advantage of the trusted relationship between MSPs and their customers.
Large Payouts, Limited Risk: Why Countries Are Turn To Hacking
Many authoritarian nations are grappling with both a lack of new intellectual property and wealth as well as an aging population, making organic development difficult, according to Sam Curry, chief security officer of endpoint detection and response vendor Cybereason, based in Boston. As a result, many of these countries are looking to exert more influence outside their own borders, Curry said.
Sending missiles, planes and soldiers overseas can be costly, but sending bots, exploits and hacks overseas offers the promise of large payouts and a high degree of success with only limited risk, he said.
“I call it the great equalizer,” Curry said. “If you can’t afford Donald Trump’s Space Force, you’re going to build a cyber force. There’s a much lower price tag and the same results.”
Although their level of sophistication varies, Trustwave’s Hussey said every developed country in the world now has nation-state groups working on their behalf.
“It’s an inexpensive way to near-anonymously have a major impact on political opponents and adversaries,” he said.
The highest risk of threats to Western entities comes from nation-state groups operating with the backing of the Chinese, Iranian, Russian and North Korean governments, industry experts told CRN.
“A nation-state actor has the resources,” said Newfield of Unisys, No. 21 on the 2018 CRN Solution Provider 500. “They have the willpower and the zero-day toolkits that most threat actors wish they had.”
Run-of-the-mill cybercriminals typically turn to ransomware, data exfiltration or business email compromise to obtain credit card numbers or other information that can be easily monetized, said Andrew Morrison, cyber risk services principal at New York-based Deloitte, No. 15 on the 2018 CRN Solution Provider 500. These cybercriminals tend to be opportunistic, according to Morrison, and will move on quickly if they’re unable to monetize the data.
But for most nation-states, the motivation differs, Morrison said.
“Governments are rarely looking for money,” he said. “They’re pretty well-funded. What they’re looking for is intelligence and reconnaissance on an adversary.”
As a result, Morrison emphasized that businesses need to look beyond defending account and credit card information and safeguard credentials or other information contained in emails that could give foreign actors a better understanding of the nature of the business.
“If you’re in the sight of a nation-state, it’s because you’re an intelligence priority,” said Don Smith, senior director of the Counter Threat Unit at Atlanta-based MSSP Secureworks. “The fact that you’ve defeated them once isn’t going to stop them from coming back again.”
Nation-state actors on an MSP’s network want to stick around for a long period of time without being detected, said Trustwave’s Hussey, and will therefore make additional efforts to be quiet by deleting log entries and forensic records and minimizing the use of traditional malware or malicious software.
Instead, Hussey said foreign actors prefer to focus on system admin tools, PowerShell and regular command lines within Windows to decrease their likelihood of being noticed. Even if the MSP’s customers are regularly changing passwords and updating their security, Hussey said the adversary will eventually move onto the customer’s network successfully as long as they maintain a presence on the MSP’s network.
“The key is to stay quiet and increase their dwell time,” Hussey said.
How Do Nation-States Strike MSPs? Call It An Infinite Timeline
Nation-states tend to initially target the benign systems of an MSP such as human resources, time and attendance or the community support teams since those systems are typically easier to penetrate, said William Tsing, head of threat operations for endpoint security provider Malwarebytes, Santa Clara, Calif. From there, Tsing said the adversary will attempt to pivot toward its primary objectives since many businesses don’t have proper network segmentation in place.
Attacks funded by foreign governments essentially operate on an infinite timeline, Tsing said, meaning that adversaries can keep at it for another year if the attack doesn’t work in its first year. Nation-state groups often develop multiple exploits around a single vulnerability and could, for instance, leverage open-source intelligence to send 100 different targeted phishing emails to a person of interest.
If an MSP’s logging system catches the first exploit attempt, Tsing said the nation-state group will usually have several more in hand.
Adversaries tend to rely on open-source frameworks or tools like PowerShell for testing the defenses of businesses since the use of a common platform makes attribution more difficult, said Secureworks’ Smith. Avoiding attribution means that the victimized party is unable to retaliate and ensures opponents don’t know who the attacker is interested in or what information they’re looking for, Smith said.
Nation-state groups prefer to establish several footholds within target MSPs and then attack using multiple points of processing and activity to avoid raising any alarm bells, said Peter Evans, chief marketing officer for Denver-based security solution provider behemoth Optiv, No. 26 on the 2018 CRN Solution Provider 500.
In addition, threat actors can be more easily tracked and captured if they’re coming from a certain location with a certain domain name. For this reason, nation-state groups tend to change domain names constantly and continuously so that defenders are unable to compile a useful history of what the domain name has done, Evans said.
Nation-states have also capitalized on Remote Desktop Protocol (RDP) programs with vulnerabilities to get into the environment of an MSP’s customers, according to Trustwave’s Hussey. Customers and MSPs should keep a close eye on which applications need to be accessed remotely, have two-factor authentication in place, and cut access once the work has been completed, Hussey said.
Nation-state campaigns are typically able to take mundane exploits such as Microsoft Word macro vulnerabilities and incorporate them into a broader narrative that successfully deceives the defender, said Craig Williams, director of outreach for San Jose, Calif.-based Cisco Systems’ Talos threat intelligence unit. For instance, he said the adversary could reply to an existing email thread with a purportedly relevant attachment that’s actually a malicious file.
Zero-day vulnerabilities are very expensive nowadays, with a never-before-seen attack against a mobile device costing into the six or seven figures, Williams said. But by crafting a really good story and remaining persistent, Williams said nation-states can still enjoy lots of success without emptying their wallets for a zero-day exploit.
Larger Threat Surface Makes MSPs A More Appealing Target
MSPs need to have privileged access to a customer’s IT infrastructure so that they can manage and monitor its network, said Optiv’s Evans.
“If I’m breaking into the MSP, I’m essentially getting the supervisor’s key to the entire apartment complex,” Evans said.
Enterprise customers typically have internal-facing IT tools and infrastructure since they are the only ones needing to use it, according to Shay Nahari, head of Red Team Services at privileged access security vendor CyberArk, Newton, Mass. But MSPs have to publicly expose a decent portion of their IT infrastructure since they are interfacing with many customers, Nahari said.
As a result, Nahari said nation-state actors going after MSPs have more threat surface to probe for vulnerabilities. “The more complex the infrastructure is, the harder it is to protect,” Nahari said.
In addition, Unisys’ Newfield said that MSSPs collect security event data for all of their customers, meaning that a nation-state with access to that information could easily identify the weaknesses in a corporation.
Newfield said these logs would paint a rich tapestry for hackers of where the business is having problems and indicate where adversaries should focus their efforts in an easy-to-decipher way.
“You’re able to read data that paints a story of where to focus,” Newfield said.
Most MSSPs serve customers in a wide variety of industries, which makes it financially unfeasible to cater their defenses to the full range of threats, according to Malwarebytes’ Tsing. If only one of 500 customers is of interest to a nation-state actor, Tsing said the MSP might determine it isn’t cost-effective to mount robust defenses for that customer.
MSPs and MSSPs have unprecedented levels of access through customers’ firewalls into both their customers’ networks and technology decisions thanks to the level of trust businesses put in their IT service provider. That makes them plum targets that offer big paydays for foreign threat actors.
“Rather than going after the leaves of the tree, you go after the branches, you go after the trunk, you go after the root,” said Cybereason’s Curry.
Four Countries That MSPs Should Worry About
Among the foreign-government-funded hacking groups, those tied to China pose the most serious threat, said Malwarebytes’ Tsing. Chinese hacking groups simply have more resources and a deeper bench of talent to draw from than their counterparts in other countries, he said.
While other countries often fund third-party contractors to launch cyberattacks on their behalf to control costs and maintain plausible deniability, the strength of China’s economy means it doesn’t have to use the contractor model nearly as much as other countries, according to Tsing.
Chinese threat actors have historically broken into organizations via spearphishing emails that convince employees to open a link or attachment that drops a malicious file onto their machine, according to Charles Carmakal, vice president with Milpitas, Calif.-based global incident response titan FireEye’s Mandiant Consulting organization. From there, Carmakal said the Chinese groups are able to move laterally and escalate privileges.
Broadly speaking, Carmakal said the Chinese government backs offensive cyber operations to steal data and information that can be leveraged to make knock-off versions of popular products or help state-owned enterprises. Groups backed by the Chinese government tend to operate in a methodical fashion and follow a relatively strict set of rules, Carmakal said.
While APT10 has pursued critical business hubs across a variety of verticals through MSPs and ISPs, other Chinese hacking groups have carried out supply chain attacks focused more narrowly on specific industries, said Mark Sangster, vice president and industry security strategist at managed detection and response vendor eSentire, Cambridge, Ontario.
Chinese-backed APT19 has been targeting law firms and other support organizations that service financial institutions in hopes of using their VPN credentials and administrative controls to go after their banking clients, Sangster said. APT20, meanwhile, has carried out targeted phishing campaigns against supply chain vendors servicing government customers like the U.S. Department of Defense, he said.
Chinese hackers tend to go directly after organizations with defense data in hopes of stealing that information, said FireEye’s Carmakal. In situations where Chinese threat actors are targeting MSPs, though, Carmakal said the ultimate target usually has data that could be used for commercial or economic purposes.
“The Chinese government doesn’t hack just for the sake of hacking,” Carmakal said. “There’s a very deliberate objective, and that deliberate objective is usually to steal data.”
China is not alone in its hacking prowess.
Russia is one of the most capable nation-state actors out there, Carmakal said, with access to incredibly sophisticated talent to carry out offensive operations as well as the capability to target any industry or sector at any moment in time. Russia makes very quick decisions about which entities or groups it wishes to target in offensive operations, Carmakal said.
A lot of Russian-backed cyber activity is politically motivated, Carmakal said, and tends to be focused on military or defense objectives. Russian groups tend to hit organizations with tight government ties such as defense contractors, universities or nonprofits with phishing emails in hopes of eventually gaining access to the parts of the government doing defense work, according to Carmakal.
Groups associated with Russian military intelligence such as APT28 have focused heavily on suppliers and vendors serving utility providers in the U.S. to capitalize on those trusted relationships and gain access to the utility company’s networks, said Priscilla Moriuchi, director of strategic threat development at Recorded Future. The IT supply chain has also been targeted in some of these efforts, Moriuchi said.
Chinese-affiliated hacking groups currently seem to be targeting MSPs and ISPs at a higher rate than their Russian counterparts, Moriuchi said. The Chinese are primarily interested in stealing and collecting intellectual property, Moriuchi said, while the Russians are more focused on gaining access to energy and utility networks.
The Iranians, meanwhile, have focused on tech outsourcers with contractors placed in firms of interest, Carmakal said. One avenue of attack for Iranian-backed groups might be breaking into the organization’s email system, searching for emails with terms such as “password,” “VPN” or “token” in them, and then using the information contained within the relevant email to breach the target organizations, he said.
Iranian adversaries like password spraying, Carmakal said, where they’ll try a commonly used password across a large set of accounts or single sign-on portal in hopes of gaining access to applications, virtual desktop infrastructure or remote access gateways. They also rely on credential stuffing, where already-breached passwords from a target’s social media pages will be tested against their corporate accounts.
Threat groups backed by Iran tend to destroy systems and wipe records in an effort to maximize overall business disruption for the affected companies, according to Carmakal. However, Moriuchi said Iranian operations tend to be more focused on businesses based in competing Middle Eastern or Central Asian countries rather than the companies operating out of the U.S. or other Western nations.
Hackers backed by North Korea tend to be focused on financial or cryptocurrency platforms, particularly in developing nations where there are fewer security controls and a less mature opera-tional process, said Adam Meyers, vice president of intelligence for next generation endpoint security vendor CrowdStrike, Sunnyvale, Calif.
Given the impact of foreign sanctions on North Korea’s economy, Moriuchi said generating revenue is the top priority for the nation’s cyber operations. “Their point isn’t to steal information,” Moriuchi said. “It’s to make money for the state.”
North Korean threat actors have historically targeted their victims directly, said Carmakal, who doesn’t recall any instances where they’ve gone through a supplier or a different third party to get at their ultimate target.
Although managed and shared services aren’t within North Korea’s wheelhouse today, Meyers does expect to see the country conduct more economic espionage activities in the coming year against companies in the energy, mining, machinery and agricultural sectors. As North Korea focuses more on economic espionage, Meyers believes MSPs could become more of a target.
The Importance Of Companies Lifting The Veil Of Secrecy
As for Visma, an internal alert and prompt warning from its intelligence systems allowed the software vendor to expel the hackers from China’s APT10 group before any of their customers’ systems were affected or any customer data was compromised. But unlike most companies that succumb to a nation-state attack, Visma didn’t make any effort to keep its experience a secret.
“The response from most companies is to eradicate the intruders, clean up their network and shut their mouths, keep quiet about it,” Moriuchi said. “But Visma took a different approach. They really felt like there was deterrent value to putting the information in the public sphere.”
Visma contracted with Recorded Future to dip deeper into the incident report and gather additional intelligence to ensure proper attribution and to better understand what the attacker was trying to accomplish. And once Visma had conclusive evidence that APT10 had performed the theft, it allowed Recorded Future to use the company’s name in a 36-page cyberthreat analysis that detailed the attack.
“We believe there’s deterrent value for a company that faces up to its attackers and says, ‘We know what you’re doing, we know what you’re after, and we’re going to put up a fight. So if you try again, we’ll be ready,’” he said.
O’Ryan Johnson contributed to this story