Breach of IT Services Colossus Latest Alarm for Third-Party Remote Access Risks
Every organization has security weaknesses—some are known, and others are unknown. Some are managed and addressed—or at least insured against—others are accepted with crossed-fingers. CISOs and employees down through the IT chain of command know there are places where they could have better controls in place, but they have to make calculated risks and tradeoffs based on resources, objectives, and priorities.
If you’re immersed in IT security, then invariably you encounter a headline several times a week about the “weakest link” in security. It’s humans/employees, right? Possibly. Partly. Often, the weakest link in cybersecurity is with your third-party vendors—and their humans! A BeyondTrust survey found that, on average, 181 vendors are granted access to an organization's network in a given week. That’s a lot of external, and frequently remote access, touchpoints to your systems. A 2018 Ponemon Institute and Opus survey found that 59 percent of organizations have suffered a breach that was caused by one of their vendors. Increasingly, cyberattackers are prying their way into those gaps and exploiting those weak links with vendor access.
When the weak link is the company that helps manage your IT infrastructure and security, it’s reason for a whole other level of alarm. This is the scenario confronting at least a dozen Wipro [NYSE: WIT] customers right now. While it’s still too early to tell if the Wipro breach shares any commonalties with APT10 or other state-sponsored threat actors that have been known to persistently target managed services providers (MSPs), such as in the “Operation Cloud Hopper” campaign, new evidence suggests other IT services companies (Infosys, Cognizant, etc.) have been targeted.
Wipro is India’s third-largest IT services company, with tens of thousands of customers worlwide, and over $8billion in IT services revenue. The company has many Fortune 500 clients, and customers span oil and gas, automotive, aerospace, defense, banking, healthcare, and other industries. As an IT consulting and managed services provider (MSP) / managed security services provider (MSSP) for many customers, Wipro routinely has privileged remote access to customer systems and their most sensitive data, including trade secrets, government intelligence, and other information highly coveted by unsavory foreign governments and competitors. Wipro remotely manages customer infrastructure and security from a number of network operations centers (NOCs) and nine global security operations centers (SOCs).
This blog provides a brief recap about what we know about the Wipro breach, potential implications, and 7 takeaways we can apply to lower the risk exposure and impact from supply chain cyberattacks affecting our MSPs and other vendors.
What We Know About the Wipro Security Breach
While there have been a number of news reports in the U.S. and India, the most substantive information has been provided by KrebsonSecurity, which broke news of the breach April 15th. and has continued to provide updates here and here.
According to KrebsonSecurity—the phishing attack responsible for the breach dates to March 11th, 2019 with subsequent phishing attacks the following week compromising 22 additional Wipro employees. Over 100 Wipro employees have allegedly been infected with the remote access tool, ScreenConnect, which investigators believe was being used to remotely connect to Wipro customer systems. This tool was also used in 2016, when an attack from compromised accounts at Cognizant were launched against Martiz Holdings, defrauding its third-party loyalty program. One compromised Wipro endpoint was allegedly attacked with the open source tool, Mimikatz, which requires privileges to dump passwords and credentials.
At least one Wipro customer has blocked all online access for Wipro employees. So far, the cybercriminals seem to be looking to capitalize swiftly on the breach, such as through gift card fraud at one affected retailer’s stores.
KrebsonSecurity first learned of the Wipro breach from a couple trusted resources in early April. Apparently, the breach was initially discovered by Wipro customers who were part of a jumping-off phishing expedition using Wipro as the beachhead. KrebsonSecurity reached out to Wipro on April 9th for a comment. After additional prodding, Wipro released a canned statement touting their robust security, while inexplicably failing to acknowledge the breach. As more Wipro customers and those familiar with the breach investigation approached KrebsonSecurity, Wipro has awkwardly tried to play catch-up. Ensuing Wipro statements, ostensibly issued to downplay the risk, and to convey a sense of control over the situation, have struck a chord that falls well short of candor and transparency, seeming to raise more questions.
For instance, Wipro mentioned that the initial breach to their systems originated via a zero-day and a phishing attack on some of their employees, whose systems were identified and subsequently isolated. Wipro stated that the zero-day was disclosed to their AV vendor. However, unless this is a zero day in the actual AV vendor software which was exploited by the attackers, we would expect the vendor of the exploited product to be notified. It’s also possible (and been widely speculated) that Wipro is inaccurately applying the term “zero day”.
Here’s how KrebsonSecurity succinctly encapsulated Wipro’s public responses:
“-Ignore reporter’s questions for days and then pick nits in his story during a public investor conference call.
-Question the stated timing of breach, but refuse to provide an alternative timeline.
-Downplay the severity of the incident and characterize it as handled, even when they’ve only just hired an outside forensics firm.
-Say the intruders deployed a “zero-day attack,” and then refuse to discuss details of said zero-day.
-Claim the IoCs you’re sharing with affected clients were discovered by you when they weren’t.”
7 Steps for Addressing Supply Chain Cybersecurity & Vendor Remote Access
While we’re early in the stages of learning about the Wipro breach and nowhere near a full post-mortem, there are certainly some takeaways you can apply to keep your organization protected from the fallout of any potential breaches to your MSP/MSSP or other third-party vendors.
1. Secure remote access: The Wipro cyberattackers exploited one of the most commonly abused threat vectors: remote access pathways. Traditional remote connectivity methods, such as VPNs, lack granular access management controls and can be easily exploited via stolen credentials and session hijacking. Extending access to your vendors—even your most trusted partners, such as MSPs and managed security services providers (MSSPs)—should not mean relinquishing control, or watering down the security you would have for your own employees. When extending remote access to a vendor, such as via a remote support tool or for privileged remote access to various systems and applications, use enterprise remote access security solutions that can dial in different levels of access based on various contextual parameters—such as the user, sensitivity of data/systems/applications accessed, time of day, IP address (possibly implementing geofencing). And, any time a vendor touches your IT environment, you need to initiate monitoring and recording of remote sessions that alerts you about any suspicious activity.
2. Enforce least privilege / secure privileged access: At least several phases of the Wipro cyberattack chain could have been prevented, or at least significantly mitigated, by enterprise-class privileged access management (PAM).
- ScreenConnect, a remote access tool, was planted on Wipro endpoints to launch remote access attacks to customer environments. While ScreenConnect itself does lack some remote access security features, such as credential injection (initiating sessions without revealing passwords) and centralized session management, the illicit seeding of this software as a backdoor could have been prevented by proper endpoint privilege management security that includes least privilege enforcement and application control components.
- Phishing attacks were apparently used to compromise Wipro employees. The attacker then launched phishing attacks from the compromised Wipro email accounts to target customers. Enforcing least privilege—that is removing absolutely all unnecessary rights, will not only help prevent a malicious program from executing in the first place, but—even if an endpoint is compromised—can prevent lateral movement, essentially leaving the malware/attacker marooned. An attacker or malware can only leverage what access and privileges an account possesses.
- At least one compromised endpoint was allegedly attacked with the open source tool, Mimikatz, which requires privileges to dump credentials. Again, strong privileged access security controls, including privileged password management and least privilege, can prevent these types of exploits.
3. Strengthen authentication/authorization controls: Identity has long been at the heart of most cyberattacks. When identity management must extend beyond the perimeter, it becomes trickier to manage, but critical to get right. Implementing multi-factor authentication (MFA) to initiate remote access sessions could have helped prevent the ScreenConnect-launched attacks from landing on their targets. Enforcing password security best practices, such as credential rotation (including one-time-passwords for the most sensitive credentials), protect against some of the most common and effective exploit types, including password guessing and password reuse attacks.
While PAM is often considered a subset of identity and access management (IAM), the best solutions to manage privileged and non-privileged identities generally are developed by different, specialized vendors. However, it’s imperative that your IAM and PAM policies and tools are tightly integrated to support seamless workflows, while ensuring there are no security gaps in the management of identities of all types.
4. Train and communicate clearly to employees: Basic cybersecurity awareness training should be a core part of employee onboarding, and an ongoing practice for every internet-connected organization. When specific exploits, such as phishing, are found to be targeting an organization or its suppliers, it’s important to quickly alert employees, as well as any potentially impacted vendors and customers.
5. Service-level agreements (SLAs): No doubt, many Wipro customers (and their lawyers) are now scrutinizing their SLAs to get a clear picture of liability and potential recompense. In most cases, your vendors will be employing different security strategies and technologies than your own organization—and this imbalance is partly what contributes to third-party risk. Here are just a few details that need to be clearly spelled out:
- Based on level of access to your environment, do your vendor’s internal security controls meet your risk management criteria?
- Have they run a recent vulnerability assessment or pen test—and what were the results/follow-up actions?
- Should they be adhering to additional security protocols (yes!) when connecting to your IT environment?
- If a breach or indicators of compromise (IoCs) are uncovered by either customer or client, how and how soon is the other party to be notified?
6. Gain visibility over all vendor access: You absolutely must inventory and account for all vendors with access to your systems. This information should be routinely updated, with new accounts continuously discovered and onboarded. All vendor access should be monitored via session management and other tools. These tools should be able to help identify when a vendor’s access may have been compromised. The best privileged session management tools can initiate advanced workflows that pause or terminate suspicious sessions, ask for additional validation or approvals, and even completely revoke access for the compromised identity or for all accounts associated with the vendor.
7. Diligently scan for and address vulnerabilities: It’s possible that the attack that first compromised Wipro indeed exploited a zero-day vulnerability. In this case, once a patch is available, enterprise vulnerability management solutions will be important in identifying where the vulnerability exists across an organization’s systems so that a patch, or other action, can be applied. Aside from preventing cyberattacks from gaining an initial foothold in an organization, closing vulnerabilities also limits the lateral and privilege escalation moves an attacker can make within an already compromised system. Some unknown vulnerabilities exist for years, even decades, in the wild. But eventually, what can be hacked will be hacked.
IT service providers (MSPs, MSSPs, etc.) are an essential part of the IT ecosystem, providing valuable know-how, infrastructure management, support, security, and other service to help organizations of all sizes plug gaps in resources and knowledge, and better scale their IT. IT services providers have privileged access to critical systems and sensitive data for customers, which makes them a highly attractive target for cyberespionage campaigns and other threat actors. In the near-term, the Wipro breach and its fallout will definitely help underscore the risks of inadequately managed remote access / third-party access, and what we need to insulate ourselves from attacks to our vendor ecosystem.
For those interested in learning how this breach plays out, a good bet is to follow KrebsonSecurity.
For organizations who’d like to revisit or mature their controls around privileged access, remote access (including remote support), and/or vulnerability management, check out BeyondTrust.
Top 10 Expert Tips for Securing Vendor & Remote Employee Access (webinar with Derek A. Smith)
Gartner Magic Quadrant for Privileged Access Management (analyst research)
The Forrester Wave™: Privileged Identity Management, Q4 2018 (analyst research)
KuppingerCole Leadership Compass for Privileged Access Management (analyst research)