Wipro wasn't a one-off: Same hacking crew targeted scores of firms, big and small – researchers

The criminals behind the Wipro phishing attack from earlier this year also targeted Western Union, Expedia, Rackspace and a whole host of other big companies, according to threat intel outfit RiskIQ.

In a report published this morning the firm said the Wipro attackers were running a much larger series of phishing campaigns, aimed at extracting cash from hapless businesses whose files had been forcibly encrypted.

Indian outsourcing behemoth Wipro discovered earlier this year that its email systems had been compromised, seemingly for some time, by black hats using it as a jumping-off point to target Wipro customers.

RiskIQ said it had “identified at least five distinct attack campaigns based off analysis of the actor-owned infrastructure,” having analysed “both Passive DNS and SSL certificate data”.

Targeted companies included Western Union, Moneygram, Rackspace, Capgemini, Wipro, Staples, Costco, Expedia, Virgin Pulse, Messagelab and Sendgrid.

A reasonably sophisticated group* with some knowledge of how to cover their traces were behind the attacks – and were said to have used off-the-shelf phishing templates to compromise the Indian outsourcer, as well as hitting a number of other companies.

Those templates appeared to have been drawn from a counter-phishing training product marketed by Swiss pentesting firm Lucy Security – though Lucy has strenuously denied to The Register that one of its software products was used in the Wipro compromise.

Templates from a Lucy counter-phishing training product were identical to those used by the Wipro attackers, according to RiskIQ, which said in its report: "Lucy comes with a variety of default phishing templates, and one of these templates was used during most of the phishing campaigns – including the now notorious Wipro case."

"There is no evidence that [the hackers] used Lucy software, other than using the template design, and our analysis demonstrates significant evidence to the contrary," said Colin Bastable, chief exec of Lucy Security. FireEye, which also investigated the group behind the Wipro hack following infosec journalist Brian Krebs' work to reveal it in the first place, concurred with Bastable in that Lucy's software itself did not appear to have been used by the crims.

FireEye's CTO of strategic services, Charles Carmakal, told The Register: "The actor commonly uses public or commercially available tools that may already exist in victim environments, such as ScreenConnect, EMCO Remote Installer, CleverControl, Teramind, and Kaseya, to maintain persistence and move laterally."

Powershell and Mimikatz

The Wipro attackers first appeared in May 2016, according to RiskIQ, and went in four distinct waves, mainly targeting services-based businesses such as digital marketing agencies, IT firms, point-of-sale and payment transfer companies and gift card providers. Later waves of attacks retargeted some of the same companies, though each wave saw around 20 to 25 separate businesses being phished.

Those phishing pages were online for just a couple of days – long enough for targeted victims to see the pages but short enough, so the attackers hoped, to evade detection and takedown.

Having phished their way into the target company, the attackers would then deploy and use the Screenconnect remote control tool, as well as the EMCO Remote Installer. Once Screenconnect was in place on a machine inside the target, the hackers then ran "small PowerShell scripts to rename the ScreenConnect product name on compromised machines."

That Powershell script, named Babysharkpro by the criminals, would also execute a custom Mimikatz build in memory, which would dump the credentials of recently logged-in users on that particular device. Mimikatz is rather popular at the moment among black hats, as a number of telcos around the world recently found out the hard way.

"The fact that it was custom-compiled makes it an interesting sample – it does not ever hit the filesystem, as it is executed in memory only," commented RiskIQ.

RiskIQ's previous research includes a plausible explanation for the British Airways hack (compromised JS on the airline's credit card payment page) as well as detailed tracking of miscreants using the Magecart malware. ®

Bootnote

* Although RiskIQ named what appeared to be two individuals it had identified from Whois records linked to domains used to host early iterations of their ransomware's command-and-control infrastructure, El Reg has decided not to reproduce those names or details. There is, after all, little to suggest that those identities themselves hadn't been stolen by the criminals.