You are here

Wipro customers hacked, says Krebs. Nothing to see here, says Wipro.

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

IT outsourcing outfit Wipro is under fire this week. Sources say it got hacked months ago, and since then has been used as a jumping-off point to hack its customers. Possibly by a state actor.

If that weren’t bad enough, when Brian Krebs—the journalist who reported the hack—asked the Bengaluru firm about it, his questions were ignored. When Wipro PR finally made a buzzword-bingo statement, it was only sent to Indian media.

And then Wipro executives contradicted the statement. Said execs went on to publicly badmouth the reporter.

This is a terrible example of how to act on a breach report. In this week’s Security Blogwatch, we break out the popcorn.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: enthusiasm.

[ Effective security operations requires staying ahead of threats. Get up to speed with this upcoming Webinar: Next Level SecOps with UEBA and MITRE ATT&CK ]

Wipro PR go slow—oh no

What’s the craic? Brian Krebs cycles in with this breathless “exclusive”—Breach at IT Outsourcing Giant Wipro:

IT outsourcing and consulting giant Wipro … is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of [its] customers. … Wipro has refused to respond to questions about the alleged incident.

Earlier this month, … two trusted sources [said] that Wipro — India’s third-largest IT outsourcing company — was dealing with a multi-month intrusion from an assumed state-sponsored attacker. … The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.

Vipin Nair, Wipro’s head of communications … wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

Wipro has not responded to multiple additional requests for comment. Since then, two more sources with knowledge of the investigation have come forward to confirm … the incident described above.

[One source] said it appears at least [12] companies were attacked. … The other source said Wipro is now in the process of building out a new private email network because the intruders were thought to have compromised Wipro’s corporate email system for some time.

Holy moly. Kate O’Flaherty asks What It Means For Supply Chain Security:

Wipro has come under fire before: In 2017, UK based ISP TalkTalk was fined after data belonging to 21,000 customers was exposed by rogue staff after the firm hired Wipro to resolve complaints and network problems. … In September 2018, one healthcare client, Nebraska Department of Health and Human Services suddenly ordered Wipro to halt its work on the upgrade to the state’s Medicaid enrolment system. … And just a month earlier the firm had paid $75 million to settle a lawsuit after it botched an SAP implementation on the US National Grid.

Many of Wipro’s customers cover industries that would be a major target for hackers – especially the state-sponsored [ones]. They include oil and gas, automotive, aerospace and defense, banking and healthcare organizations among other industries.

This breach should be a wakeup call to both outsourcing companies, and to firms that outsource their IT. … It’s important for outsourcing firms to look carefully at their own security – and for clients to be careful about who they trust.

Yet Wipro is still keeping schtum? Local scribbler Jochelle Mendonca did at least manage to get this flowery PR drawer statement—Wipro confirms attack:

“We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign. Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact,” … the Bengaluru-headquartered IT services company … said in a statement.

“We are leveraging our industry-leading cyber security practices and collaborating with our partner ecosystem to collect and monitor advanced threat intelligence for enhancing security posture. We have also retained a well-respected, independent forensic firm to assist us in the investigation,” the Wipro statement added.

Refuting [Krebs’] claim that Wipro was in the process of building a “new private email network” … chief executive Abidali Neemuchwala told reporters that “such attacks are common in the industry” and that [Krebs] had conflated various events. … “We think we have a pretty good email system.”

As Wipro executives addressed analysts on a post-earnings conference call, Brian Krebs … joined the call and asked them to spell out exactly what the inaccuracies in the report were. To which, Wipro COO Bhanumurthy BM responded by saying he would be willing to talk to the researcher on a ‘separate call.’

Pass the popcorn. Mister Krebs recycles his feels: [You’re fired—Ed.]

Right. They're happy to tell investors my story is full of holes but when I ask them to their face to say where the piece was in error they dodge the question. Definitely the behavior of a company that has nothing to hide.

It wouldn't bug me so much normally except prior to publication (and they had 3 days to respond) they refused to respond to every substantive claim one of my sources brought up about what was going on. Now they start vaguely picking nits but won't talk specifics.

They're also calling the incident the result of a zero-day attack. … Now would be a good time to share details of this "zero day" attack, no? If it's a true zero-day, then others need to be informed and there's no reason for the secrecy.

Wait. Pause. Which is it—phishing or zero-day? Mumbai-based Suhail Kazi—@tweepul—is horrified yet amused:

This is a horrible look for @Wipro. Hilarious too.

Whoever gave this response to Brian not only has no clue what he's blabbering but can't even play mgmt-buzzword BS bingo properly. What is surprising is how more such incidents from Indian IT shops don't show up more frequently.

And it's not restricted to just IT/netwk breaches. Back in the day when I was working for Indian & US IT mnc in India, I used to occasionally poke holes in physical access/parkg/employee/server room security (once just annoyed at BS HR emails) & response was as amateurish as this.

Even worse, in @Wipro's case they have their Chief HR talking about an alleged 0-day. This is gonna come back to bite their asses royally. … This is not just an IT breach but a laughable Corp-Comms disaster as well and a potential shareholder lawsuit liability for sure.

Ridonkulous.

And Ian Thornton-Trump—@phat_hobbit—has got a little list:

Adding this to the list of how not to do "PR for Incident Response." The only thing missing is threatening @briankrebs with legal action.

But can we see behind the hilarious PR fail? This Anonymous Coward avoids too much stereotyping:

Anyone who has worked with IT staff trained in India will understand the cultural difficulties in relying on the majority of such employees when it comes to pro-activeness and the reporting of problems.

They simply won't say 'no' … as they don't want to offend. They don't offer up ideas in case they are deemed 'wrong,' and they certainly don't pipe up when they know something is broken as … they fear they will be sacked.

The problem isn't the people, it's the way they are trained. Unless you can adapt your own practices to take these factors into account you will always struggle to get what you pay for. On the other hand if you can work out how to overcome these differences in approach then they can be remarkably helpful and loyal - but that's a soft skill that doesn't translate well onto a CV [resume].

Please note the 'majority' caveat in the first paragraph. When an exception is discovered, they are usually poached.

So what have we learned? Brian Honan is reminded of this lesson:

A salutory reminder that in today's business world you will not be judged for suffering a security breach but you will be judged on how well (or not) you respond to the breach. That also includes how to deal with media queries.

Meanwhile, Dan Chmielewski—@TecFlack—puts it more succinctly, distilling decades of PR experience into this advice:

Never lie to a reporter. They’ll know.

The moral of the story?

Actually, “Never lie to a reporter. They’ll know,” pretty much covers it.

[ Get up to speed fast on today's tools with TechBeacon's Application Security Buyer's Guide 2019 ]

And finally

Curb your media relations


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Argelis Rebolledo (cc:0)
 

[ See Guide: Best Practices for GDPR and CCPA Compliance ]