Wipro has been hacked, and the attackers may have used Wipro's systems to target at least a dozen customer systems, according to KrebsOnSecurity. It's the latest example of hackers targeting MSPs (managed IT services providers), IT consulting and outsourcing firms to target end-customer systems.
Updated April 17, 8:20 p.m. ET: Hacks between March 16 and 19 apparently netted more than 20 Wipro employees. The hackers apparently used an on-premises remote access tool called ScreenConnect to link remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks, KrebsOnSecurity reported. ScreenConnect is now owned by ConnectWise, and rebranded as ConnectWise Control.
MSSP Alert reached out to ConnectWise for comment. Chief Product Officer Jeff Bishop offered this perspective:
"As a remote support solution, ConnectWise Control provides the ability to remotely view and control devices across multiple operating systems with various deployment methods. ConnectWise Control and similar products are typically consumed by IT teams to improve efficiency by remotely fixing issues and applying updates. But, there are those malicious actors, who utilize remote control products in scams to exploit a consumer or company through misrepresentation, network vulnerabilities, or phishing. We work diligently to prevent the misuse of our products in these scenarios through online training, educational material, and by implementing AI to help us look for bad actors in our community. When detected or reported, we will work with the appropriate authorities to assist them to take action against these malicious actors.
If a company or individual believes that ConnectWise Control was used in an exploit or their instance has been exploited, we encourage them to report the details of the activity on this page."
Meanwhile, the Wipro hack apparently involved a phishing campaign that breached the IT outsourcing firm's corporate email system "for some time," KrebsOnSecurity says. The hackers used Wipro's network to launch attacks against roughly 11 customers, the report said. Customer names and specific damage information were not reported.
Wipro, at US$8.4 billion in annual revenues, is India's third-largest IT outsourcing firm with MSP capabilities. The company has roughly 160,000 employees across six contents. Key rivals include Tata Consultancy Services, Infosys, HCL Technologies and Tech Mahindra, among others.
Wipro Breached: Company Statement
In a statement to Reuters, Wipro said:
“We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign."
The company has retained an independent forensic firm to assist in the investigation, Reuters added.
Wipro announced earnings on Tuesday, April 16, and largely dodged questions about the alleged hacker incident.
Hackers Target MSP Software Platforms
This is the latest in a growing list of island hopper hacker attacks that specifically target MSPs and IT consulting firms as a potential doorway into end-customer systems.
Earlier MSP-related attacks involved:
- GandCrab ransomware targeting MSPs and their end-customers.
- The APT10 hacker group hitting a major MSP.
- A U.S. Department of Homeland Security warning about hackers targeting MSPs and CSPs.
In response, MSPs and MSSPs worldwide have been locking down their RMM (remote monitoring and management) software platforms with the latest software patches, double-checking network access settings, rolling out security awareness training, and double-checking business continuity plans to ensure backup and recovery systems will stand tall following potential ransomware attacks.
Moreover, MSPs and MSSPs have also been rolling out multi-layer security systems -- including next-generation endpoint protection, network and cloud services that often detect and eliminate phishing emails before they can reach users.
