Attackers Used Red-Team, Pen-Testing Tools to Hack Wipro

Breach of India-based outsourcing giant involved a remote access tool and a post-exploitation tool, according to an analysis by Flashpoint.

The breach of outsourcing firm Wipro is a cybercriminal operation using tools common to red teams and penetration testers and has likely been active as far back as 2015, according to an analysis published by threat-intelligence firm Flashpoint.
The group behind the breach has links to a phishing campaign that focuses on gathering credentials to gain access to corporate sites for administering gift card and reward programs, two researchers with threat-intelligence firm Flashpoint
stated in the analysis
. The attackers used ScreenConnect, a remote access tool (RAT) often used by penetration testers in support engagements, and Powerkatz, a post-exploitation tool often used by red teams, says Jason Reaves, a principal threat researcher at Flashpoint.
The tools used to breach companies are common to pen-testing and red teams, he says. The actors perform recon like traditional red teams and cloak themselves within that environment. They have a preference for the ScreenConnect utility but also utilize RDP, which is common in most corporate environments.
The breach of India-based Wipro, an outsourcing and consulting giant, has highlighted the danger that insecure third-party firms hold for their clients. As
first reported by cybersecurity journalist Brian Krebs on April 15
, the companys compromised systems have apparently been used as a jumping-off point to attempt to infiltrate the networks of at least 11 Wipro clients.
Flashpoint, however, found that telltale technical signs — known as indicators of compromise (IOCs) — link the attackers to at least 48 targets between 2015 and 2019. The companys research shows that at least half a dozen of the domains connected to the Wipro attack were phishing attacks linked to past campaigns.
We assess with high confidence that the threat actors are linked to the 2017 phishing campaign, says Joshua Platt, also a principal threat researcher with Flashpoint. Overlapping infrastructure was configured to utilize the resources of multiple servers in multiple campaigns.
Multiple sources told KrebsOnSecurity about the breach of Wipro systems. Krebs
published IOCs
consisting of domain names and malicious files used in the breach.
On April 17, Wipro acknowledged the breach in a
statement to
Economic Times
.
We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign, the statement read. Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.
Flashpoint found that the attackers also used a tool known as Imminent Monitor, a remote administration tool, and linked the attack to other campaigns using PowerShell scripts, a common tactic of attackers to try to operate on compromised systems without attracting notice.
The incident is the latest example of how a third-party firm can provide attackers with a side door past a targets defenses. Only six in 10 companies actually vet their third-party providers security, leading to 59% of companies experiencing a data breach due to those suppliers,
according to the Ponemon Institute
.
Security professionals have criticized Wipro for its slow response. Clients and the public will likely not receive answers about the extent of the breach any time soon, said Tim Erlin, vice president of product management and strategy at Tripwire, in a statement on the breach.
We dont have all the information about this incident, and were not likely to get it anytime soon, he said. Cybersecurity professionals understand how long a forensic investigation can take, and how new information can be uncovered after the initial disclosure, but that reality isnt always clear to the public.
Flashpoint is offering the IoC
on its site in CSV or MISP formats
.
Meantime, a Wipro spokesperson confirmed that the company is investigating the attack and has taken steps to ratchet up its security. Wipro can confirm that it was among the targets of a coordinated and advanced phishing campaign reportedly directed against several companies. As soon as we became aware of the campaign, we began an investigation, identified potentially affected users, promptly informed the customers with whom these employees were engaged and began taking remedial steps to contain and mitigate any potential impact, the spokesperson said.
We have applied additional security measures to further strengthen our systems, and continue to monitor our enterprise infrastructure at a heightened level of alertness. We have engaged an independent forensic firm to assist us in the investigation, while our partners in the security domain who have an understanding of our operations are supporting us in the remediation efforts, the spokesperson said.
Related Content:
IT Outsourcing Firm Wipro Investigates Data Breach
Third-Party Cyber-Risk by the Numbers
Third Parties in Spotlight as More Facebook Data Leaks
Financial Data for Multiple Companies Dumped Online in Failed Extortion Bid
Everything I Needed to Know About Third-Party Risk Management, I Learned from Meet the Parents

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Used Red-Team, Pen-Testing Tools to Hack Wipro