I have been alerting clients that I know use Wipro, but may have missed some of you. It is being reported that IT outsourcing company Wipro Ltd. has been hacked through several phishing campaigns from what is believed to be a state-sponsored attacker.
According to recent reports, including KrebsonSecurity, sources have stated that “Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.” Apparently, at least 11 of Wipro’s customers have traced malicious and suspicious activity to systems that were communicating with Wipro’s network. It is disputed whether the attack lasted weeks or months.
According to Wipro, it was hit with a zero-day attack. Wipro has sent its affected clients a set of indicators of compromise, which includes clues about tactics, tools and procedures that attackers use that may assist them in determining whether they were compromised during the hop from Wipro’s system to a client’s system. A helpful Wipro client shared the indicators with Wipro and Wipro then sent it to its other clients.
It is also being reported that the successful attack against Wipro was caused by a successful phishing email to one of Wipro’s employees, which was followed by several more successful phishing campaigns against other employees.
There is some concern that Wipro’s systems may still be compromised, so Wipro clients should be aware of this possibility, how it can be used to compromise their system, and prepare for it.
KrebsonSecurity has published the indicators of compromise provided by Wipro clients, which can be accessed here.