Wipro Intruders Targeted Other Major IT Firms

The crooks responsible for launching phishing campaigns that netted dozens of employees and more than 100 computer systems last month at Wipro, India’s third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant, new evidence suggests. The clues so far suggest the work of a fairly experienced crime group that is focused on perpetrating gift card fraud.

On Monday, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were being used to launch cyberattacks against the company’s customers.

A screen shot of the Wipro phishing site securemail.wipro.com.internal-message[.]app. Image: urlscan.io

In a follow-up story Wednesday on the tone-deaf nature of Wipro’s public response to this incident, KrebsOnSecurity published a list of “indicators of compromise” or IOCs, telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.

If one examines the subdomains tied to just one of the malicious domains mentioned in the IoCs list (internal-message[.]app), one very interesting Internet address is connected to all of them — 185.159.83[.]24. This address is owned by King Servers, a well-known bulletproof hosting company based in Russia.

According to records maintained by Farsight Security, that address is home to a number of other likely phishing domains:

securemail.pcm.com.internal-message[.]app
secure.wipro.com.internal-message[.]app
securemail.wipro.com.internal-message[.]app
secure.elavon.com.internal-message[.]app
securemail.slalom.com.internal-message[.]app
securemail.avanade.com.internal-message[.]app
securemail.infosys.com.internal-message[.]app
securemail.searshc.com.internal-message[.]app
securemail.capgemini.com.internal-message[.]app
securemail.cognizant.com.internal-message[.]app
secure.rackspace.com.internal-message[.]app
securemail.virginpulse.com.internal-message[.]app
secure.expediagroup.com.internal-message[.]app
securemail.greendotcorp.com.internal-message[.]app
secure.bridge2solutions.com.internal-message[.]app
ns1.internal-message[.]app
ns2.internal-message[.]app
mail.internal-message[.]app
ns3.microsoftonline-secure-login[.]com
ns4.microsoftonline-secure-login[.]com
tashabsolutions[.]xyz
www.tashabsolutions[.]xyz

The subdomains listed above suggest the attackers may also have targeted American retailer Sears; Green Dot, the world’s largest prepaid card vendor; payment processing firm Elavon; hosting firm Rackspace; business consulting firm Avanade; IT provider PCM; and French consulting firm Capgemini, among others. KrebsOnSecurity has reached out to all of these companies for comment, and will update this story in the event any of them respond with relevant information.

WHAT ARE THEY AFTER?

It appears the attackers in this case are targeting companies that in one form or another have access to either a ton of third-party company resources, and/or companies that can be abused to conduct gift card fraud.

Wednesday’s follow-up on the Wipro breach quoted an anonymous source close to the investigation saying the criminals responsible for breaching Wipro appear to be after anything they can turn into cash fairly quickly. That source, who works for a large U.S. retailer, said the crooks who broke into Wipro used their access to perpetrate gift card fraud at the retailer’s stores.

Another source said the investigation into the Wipro breach by a third party company has determined so far the intruders compromised more than 100 Wipro systems  and installed on each of them ScreenConnect, a legitimate remote access tool. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.

This is remarkably similar to activity that was directed against a U.S. based company in 2016 and 2017. In May 2018, Maritz Holdings Inc., a Missouri-based firm that handles customer loyalty and gift card programs for third-parties, sued Cognizant (PDF), saying a forensic investigation determined that hackers used Cognizant’s resources in an attack on Maritz’s loyalty program that netted the attackers more than $11 million in fraudulent eGift cards.

That investigation determined the attackers also used ScreenConnect to access computers belonging to Maritz employees. “This was the same tool that was used to effectuate the cyber-attack in Spring 2016. Intersec [the forensic investigator] also determined that the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 attack.”

According to the lawsuit by Maritz Holdings, investigators also determined that the “attackers were accessing the Maritz system using accounts registered to Cognizant. For example, in April 2017, someone using a Cognizant account utilized the “fiddler” hacking program to circumvent cyber protections that Maritz had installed several weeks earlier.”

Maritz said its forensic investigator found the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 eGift card cashout. Likewise, my retailer source in the Wipro attack told KrebsOnSecurity that the attackers who defrauded them also searched their systems for specific phrases related to gift cards, and for clues about security systems the retailer was using.

It’s unclear if the work of these criminal hackers is tied to a specific, known threat group. But it seems likely that the crooks who hit Wipro have been targeting similar companies for some time now, and with a fair degree of success in translating their access to cash given the statements by my sources in the Wipro breach and this lawsuit against Cognizant.

What’s remarkable is how many antivirus companies still aren’t flagging as malicious many of the Internet addresses and domains listed in the IoCs, as evidenced by a search at virustotal.com.

Update, April 19, 11:25 a.m. ET: I heard back from some of the other targets. Avanade shared the following statement: “Avanade was a target of the multi-company security incident, involving 34 of our people in February. Through our cyber incident response efforts and technologies, we swiftly contained and remediated the situation. As a result, there was no impact to our client portfolio or sensitive company data. Our review has concluded this was isolated incident. Our security defenses have continued to protect against any potential threat related to this matter. And, we continue take our responsibility to safeguard our clients’ data with the utmost seriousness.”

Infosys said it has not observed any breach of its network based on its monitoring and threat intel. “This has been ascertained through a thorough analysis of the indicators of compromise that we received from our threat intelligence partners,” the company said in a statement.

Rackspace said it has no evidence to indicate that there has been impact to the Rackspace environment. “Rackspace Security Operations continuously monitors our environment for threats and takes appropriate action should an issue be identified.”

The Cybersecurity Weakest Link – Linux and IOT

When Linus Torvalds first started developing a free operating system back in 1991 in his spare time, nobody could have guessed what it would lead to.

Linux is not only the backbone of the internet and the Android operating system, it is now expanding into domestic appliances, motor vehicles and pretty much anything else that requires a minimal operating system to run dedicated software. The Internet of Things is very much The Internet of Things Powered by Linux.

But when Chrysler announced a recall of 1.4 million vehicles back in 2016 after a pair of hackers demonstrated a remote hijack of a Jeep’s digital systems, the risks involved with hacking IoT devices were dramatically illustrated.

So what does the rise of Linux and IoT mean for Cybersecurity in the Enterprise? Let’s take a look.

Our Networks Have Changed

Today’s defense solutions and products are mostly talking about Windows-based attacks: it’s the most prevalent operating system in the enterprise, and the majority of sysadmins are tasked with solving the security problems it brings. When people in business say “a computer”, they typically mean a Windows-driven computer.

Over time, however, the staggering popularity of Windows in enterprise IT has weakened. A growing number of DevOps and advanced users are choosing Linux for their workstations. In parallel, the internal and external services a common enterprise is offering have moved away from Windows-based devices to Linux; Ubuntu, SuSE, and RedHat.

Linux Containers (LXC) have become almost a commodity, using zero-trust and highly agile methodologies to spawn up “destroy after use” web services and other applications. Linux containers have broad appeal for enterprises because they make it easier to ensure consistency across environments and multiple deployment targets such as physical servers, virtual machines (VMs), and private or public clouds. However, many Linux container deployments are focused on performance, which often comes at the expense of security.

Beyond that, every device used in the network is now connected to the same networks where all the most valuable assets reside. What used to be a simple fax machine has now become a server. Our switches and routers are moving into the backbone of our most secure networks, bringing along the potential for cyber breaches as they do so.

Malware Authors Heaven

Let’s shift our attention for a second from the defender to the attackers, whose strategy whenever possible is to use minimal effort for maximum impact. In many cases, keeping things simple proves to be enough: when the key to the front door is waiting under the doormat, the thieves don’t care if the window is open.

If you look at your network from the attacker’s perspective, there are enough open doors from IoT devices to penetrate without the hassle of crossing the security mechanisms of the most common operating system. While that does not mean you can relax the effort to secure your Windows devices — there are still some severe weaknesses over there also (social engineering anyone?) — the network breaches involving IOT devices that have been exposed so far are just the tip of the iceberg.

Here are a few notable examples:

  1. Compromising a network just by sending a Fax
    Check Point researchers have revealed details of two critical remote code execution (RCE) vulnerabilities they discovered in the communication protocols used in tens of millions of fax machines globally. A patch is available on HP’s support page.
  2. The Mirai Botnet
    In October 2016, the largest DDoS attack ever was launched on service provider Dyn using an IoT botnet. This led to huge portions of the internet going down, including Twitter, the Guardian, Netflix, Reddit, and CNN. The Mirai botnet caused infected computers to continually search the internet for vulnerable IoT devices like digital cameras and DVR players, and then used known default usernames and passwords to log in and infect them with malware.
  3. 465,000 Abbott pacemakers vulnerable to hacking
    In the summer of 2016, the FDA and Homeland Security issued alerts about vulnerabilities in Abbott pacemakers that required a firmware update to close security holes. The unpatched firmware made it possible for an attacker to drain the pacemaker battery or exfiltrate user medical data. (The firmware was updated a year later.)

Regaining Control

As the variety of IoT devices and inherent vulnerabilities is high, patching can be a tedious and overwhelming task. That said, you cannot protect what you cannot see, so start with the basics: map out what you have and gain visibility into traffic, including the growing blindspot of encrypted traffic. This will allow you to introduce IoT security into your already existing security program.

The next step is to ensure no default authentication is set for any of your devices and to start patching. While patching is no silver bullet, it can discourage any attackers probing your network and send them off to look for easier victims.

On the Linux side, there are enterprise-grade solutions available, some of which are more intrusive than others: they’ll cover your assets at the cost of kernel intrusion. Other Linux-based solutions focus on visibility and monitoring “userland” behavior and processes. This allows you to keep more control, but also can result in easier bypasses for malware.

Hardening IoT and Linux

Even though preparation is the key to addressing IoT and Linux cyber attacks, there is still much else that could be done.

On the IoT side, SentinelOne announced earlier this year the SentinelOne Ranger, a unique capability that allows network administrators to see exactly what is connected to their networks. This visibility allows them to see, understand and take proactive measures to reduce the cybersecurity risk. Further, there is a need for device manufacturers to develop a common set of security mechanisms and standards. Until that time, the best approach is to reduce the attack surface to a bare minimum: retire old devices, patch all devices that are a must, and use vendors who invest in security and enforce authentication wherever possible.

On the Linux side, the situation is somewhat better, as software solutions and the main vendors like RedHat continue to invest in securing the OSs. However, there is no doubt that malware authors will persist in exploring and exploiting weaknesses in the OS and software whenever and wherever they find them.

Conclusion

While defenders need to seal every gap and plug every hole, an attacker just needs one way in. In some cases, that could come from your Linux and IOT. We are in the midst of the IOT revolution, and the speed of change is bringing with it multiple security implications, some of which may be as yet unknown. The enterprise needs to be ready, and it needs to be vigilant.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Salesforce is buying MapAnything, a startup that raised over $84 million

Salesforce announced today it’s buying another company built on its platform. This time it’s MapAnything, which, as the name implies, helps companies build location-based workflows, something that could come in handy for sales or service calls.

The companies did not reveal the selling price, and Salesforce didn’t have anything to add beyond a brief press release announcing the deal.

“The addition of MapAnything to Salesforce will help the world’s leading brands accurately plan: how many people they need, where to put them, how to make them as productive as possible, how to track what’s being done in real time and what they can learn to improve going forward,” Salesforce wrote in the statement announcing the deal.

It was a logical acquisition on many levels. In addition to being built on the Salesforce platform, the product was sold through the Salesforce AppExchange, and over the years MapAnything has been a Salesforce SI Partner, an ISV Premier Partner, according the company.

“Salesforce’s pending acquisition of MapAnything comes at a critical time for brands. Customer Experience is rapidly overtaking price as the leading reason companies win in the market. Leading companies like MillerCoors, Michelin, Unilever, Synchrony Financial and Mohawk Industries have all seen how location-enabled field sales and service professionals can focus on the right activities against the right customers, improving their productivity, and allowing them to provide value in every interaction,” company co-founder and CEO John Stewart wrote in a blog post announcing the deal.

MapAnything boasts 1,900 customers in total, and that is likely to grow substantially once it officially becomes part of the Salesforce family later this year.

MapAnything was founded in 2009, so it’s been around long enough to raise more than $84 million, according to Crunchbase. Last year, we covered the company’s $33.1 million Series B round, which was led by Columbus Nova.

At the time of the funding CEO John Stewart told me that his company’s products present location data more logically on a map instead of in a table. “Our Core product helps users (most often field-based sales or service workers) visualize their data on a map, interact with it to drive productivity, and then use geolocation services like our mobile app or complex routing to determine the right cadence to meet them,” Stewart told me last year.

It raised an additional $42.5 million last November. Investors included General Motors Ventures and (unsurprisingly) Salesforce Ventures.

Spotinst, the startup enabling companies to purchase and manage excess cloud capacity, acquires StratCloud

Spotinst, the cloud automation and optimization startup founded in Tel Aviv but now with offices in San Francisco, New York and London, has acquired AWS partner StratCloud. Terms of the deal remain undisclosed, although I’m hearing it combines both cash and stock and was somewhere in the region of $5 million.

As part of the acquisition, StratCloud’s team of 15 people will be joining Spotinst, including founder Patrick Gartlan, who will become VP, Cloud Services at Spotinst. StratCloud hadn’t raised any venture capital but instead was bootstrapped by Gartlan, who was the former CTO of cloud optimization company CloudCheckr.

Founded in 2015, Spotinst enables enterprises to optimize their cloud infrastructure usage by automating the process of using excess — and therefore cheaper — capacity from leading cloud providers.

As TechCrunch’s Ron Miller previously explained, cloud platforms like AWS, Microsoft Azure and Google Cloud Platform, all of which Spotinst supports, have to maintain more resources than they need at any given time. All three companies offer steep discounts to customers who want to access these resources, but they come with a strict condition that the platforms can take those resources back whenever they need them — which is where Spotinst (and today’s acquisition of StratCloud) comes in.

Spotinst’s platform manages the process of acquiring spare capacity, powered by predictive AI, and seamlessly switches providers before it’s withdrawn. This ensures that cloud computing “workloads” keep functioning, while the customer still receives the best possible price.

Meanwhile, StratCloud tech is described as an “optimization platform” that buys, sells and converts reserved capacity, therefore maximizing savings for on-demand infrastructure. “This leads to lower compute payments, without engineers having to change anything in the applications and infrastructure they manage,” explains Spotinst.

Related to this, Spotinst will migrate StratCloud’s several dozen customers to the Spotinst platform, where they’ll continue to receive all of the current functionality.

Overall, the acquisition means Spotinst can now offer a complete solution for cloud users, including offering reserved instances and unused computer power so that enterprises can run any workload and support large-scale migrations on any cloud provider. In addition, Spotinst says the combined technologies give Managed Service Providers (MSPs) a comprehensive tool to optimize cloud workloads for all of their managed customers.

Spotinst claims more than 1,500 enterprise customers in 52 countries, including Samsung, N26, Duolingo, Ticketmaster and Wix. The company currently employs approximately 150 staff across its four offices and has raised $52 million in VC funding to date.

Microsoft delves deeper into IoT with Express Logic acquisition

Microsoft has never been shy about being acquisitive, and today it announced it’s buying Express Logic, a San Diego company that has developed a real-time operating system (RTOS) aimed at controlling the growing number of IoT devices in the world.

The companies did not share the purchase price.

Express Logic is not some wide-eyed, pie-in-the-sky startup. It has been around for 23 years building (in its own words), “industrial-grade RTOS and middleware software solutions for embedded and IoT developers.” The company boasts some 6.2 billion (yes, billion) devices running its systems. That number did not escape Sam George, director of Azure IoT at Microsoft, but as he wrote in a blog post announcing the deal, there is a reason for this popularity.

“This widespread popularity is driven by demand for technology to support resource constrained environments, especially those that require safety and security,” George wrote.

Holger Mueller, an analyst with Constellation Research, says that market share also gives Microsoft instant platform credibility. “This is a key acquisition for Microsoft: on the strategy side Microsoft is showing it is serious with investing heavily into IoT, and on the product side it’s a key step to get into the operating system code of the popular RTOS,” Mueller told TechCrunch.

The beauty of Express Logic’s approach is that it can work in low-power and low resource environments and offers a proven solution for a range or products. “Manufacturers building products across a range of categories — from low capacity sensors like lightbulbs and temperature gauges to air conditioners, medical devices and network appliances  –leverage the size, safety and security benefits of Express Logic solutions to achieve faster time to market,” George wrote.

Writing in a blog post to his customers announcing the deal, Express Logic CEO William E. Lamie, expressed optimism that the company can grow even further as part of the Microsoft family. “Effective immediately, our ThreadX RTOS and supporting software technology, as well as our talented engineering staff join Microsoft. This complements Microsoft’s existing premier security offering in the microcontroller space,” he wrote.

Microsoft is getting an established company with a proven product that can help it scale its Azure IoT business. The acquisition is part of a $5 billion investment in IoT the company announced last April that includes a number of Azure pieces such as Azure Sphere, Azure Digital Twins, Azure IoT Edge, Azure Maps and Azure IoT Central.

“With this acquisition, we will unlock access to billions of new connected endpoints, grow the number of devices that can seamlessly connect to Azure and enable new intelligent capabilities. Express Logic’s ThreadX RTOS joins Microsoft’s growing support for IoT devices and is complementary with Azure Sphere, our premier security offering in the microcontroller space,” George wrote.

CloudBees acquires Electric Cloud to build out its software delivery management platform

CloudBees, the enterprise continuous integration and delivery service (and the biggest contributor to the Jenkins open-source automation server), today announced that it has acquired Electric Cloud, a continuous delivery and automation platform that first launched all the way back in 2002.

The two companies did not disclose the price of the acquisition, but CloudBees has raised a total of $113.2 million while Electric Cloud raised $64.6 million from the likes of  Rembrandt Venture Partners, U.S. Venture Partners, RRE Ventures and Next47.

CloudBees plans to integrate Electric Cloud’s application release automation platform into its offerings. Electric Flow’s 110 employees will join CloudBees.

“As of today, we provide customers with best-of-breed CI/CD software from a single vendor, establishing CloudBees as a continuous delivery powerhouse,” said Sacha Labourey, the CEO and co-founder of CloudBees, in today’s announcement. “By combining the strength of CloudBees, Electric Cloud, Jenkins and Jenkins X, CloudBees offers the best CI/CD solution for any application, from classic to Kubernetes, on-premise to cloud, self-managed to self-service.”

Electric Cloud offers its users a number of tools for automating their release pipelines and managing the application lifecycle afterward.

“We are looking forward to joining CloudBees and executing on our shared goal of helping customers build software that matters,” said Carmine Napolitano, CEO, Electric Cloud. “The combination of CloudBees’ industry-leading continuous integration and continuous delivery platform, along with Electric Cloud’s industry-leading application release orchestration solution, gives our customers the best foundation for releasing apps at any speed the business demands.”

As CloudBees CPO Christina Noren noted during her keynote at CloudBees’ developer conference today, the company’s customers are getting more sophisticated in their DevOps platforms, but they are starting to run into new problems now that they’ve reached this point.

“What we’re seeing is that these customers have disconnected and fragmented islands of information,” she said. “There’s the view that each development team has […] and there’s not a common language, there’s not a common data model, and there’s not an end-to-end process that unites from left to right, top to bottom.” This kind of integrated system is what CloudBees is building toward (and that competitors like GitLab would argue they already offer). Today’s announcement marks a first step into this direction toward building a full software delivery management platform, though others are likely to follow.

During his company’s developer conference, Labourey also today noted that CloudBees will profit from Electric Cloud’s long-standing expertise in continuous delivery and that the acquisition will turn CloudBees into a “DevOps powerhouse.”

Today’s announcement follows CloudBees’ acquisition of CI/CD tool CodeShip last year. As of now, CodeShip remains a stand-alone product in the company’s lineup. It’ll be interesting to see how CloudBees will integrate Electric Cloud’s products to build a more integrated system.

 

How Not to Acknowledge a Data Breach

I’m not a huge fan of stories about stories, or those that explore the ins and outs of reporting a breach. But occasionally I feel obligated to publish such accounts when companies respond to a breach report in such a way that it’s crystal clear they wouldn’t know what to do with a data breach if it bit them in the nose, let alone festered unmolested in some dark corner of their operations.

And yet, here I am again writing the second story this week about a possibly serious security breach at an Indian company that provides IT support and outsourcing for a ridiculous number of major U.S. corporations (spoiler alert: the second half of this story actually contains quite a bit of news about the breach investigation).

On Monday, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, the third-largest IT services provider in India and a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were being used to launch cyberattacks against the company’s customers.

Wipro asked me to give them several days to investigate the request and formulate a public comment. Three days after I reached out, the quote I ultimately got from them didn’t acknowledge any of the concerns raised by my sources. Nor did the statement even acknowledge a security incident.

Six hours after my story ran saying Wipro was in the throes of responding to a breach, the company was quoted in an Indian daily newspaper acknowledging a phishing incident. The company’s statement claimed its sophisticated systems detected the breach internally and identified the affected employees, and that it had hired an outside digital forensics firm to investigate further.

Less than 24 hours after my story ran, Wipro executives were asked on a quarterly investor conference call to respond to my reporting. Wipro Chief Operating Officer Bhanu Ballapuram told investors that many of the details in my story were in error, and implied that the breach was limited to a few employees who got phished. The matter was characterized as handled, and other journalists on the call moved on to different topics.

At this point, I added a question to the queue on the earnings conference call and was afforded the opportunity to ask Wipro’s executives what portion(s) of my story was inaccurate. A Wipro executive then proceeded to read bits of a written statement about their response to the incident, and the company’s chief operating officer agreed to have a one-on-one call with KrebsOnSecurity to address the stated grievances about my story. Security reporter Graham Cluley was kind enough to record that bit of the call and post it on Twitter.

In the follow-up call with Wipro, Ballapuram took issue with my characterization that the breach had lasted “months,” saying it had only been a matter of weeks since employees at the company had been successfully phished by the attackers. I then asked when the company believed the phishing attacks began, and Ballapuram said he could not confirm the approximate start date of the attacks beyond “weeks.”

Ballapuram also claimed that his corporation was hit by a “zero-day” attack. Actual zero-day vulnerabilities involve somewhat infrequent and quite dangerous weaknesses in software and/or hardware that not even the maker of the product in question understands before the vulnerability is discovered and exploited by attackers for private gain.

Because zero-day flaws usually refer to software that is widely in use, it’s generally considered good form if one experiences such an attack to share any available details with the rest of the world about how the attack appears to work — in much the same way you might hope a sick patient suffering from some unknown, highly infectious disease might nonetheless choose to help doctors diagnose how the infection could have been caught and spread.

Wipro has so far ignored specific questions about the supposed zero-day, other than to say “based on our interim investigation, we have shared the relevant information of the zero-day with our AV [antivirus] provider and they have released the necessary signatures for us.”

My guess is that what Wipro means by “zero-day” is a malicious email attachment that went undetected by all commercial antivirus tools before it infected Wipro employee systems with malware.

Ballapuram added that Wipro has gathered and disseminated to affected clients a set of “indicators of compromise,” telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.

Hours after that call with Ballapuram, I heard from a major U.S. company that is partnering with Wipro (at least for now). The source said his employer opted to sever all online access to Wipro employees within days of discovering that these Wipro accounts were being used to target his company’s operations.

The source said the indicators of compromise that Wipro shared with its customers came from a Wipro customer who was targeted by the attackers, but that Wipro was sending those indicators to customers as if they were something Wipro’s security team had put together on its own.

So let’s recap Wipro’s public response so far:

-Ignore reporter’s questions for days and then pick nits in his story during a public investor conference call.
-Question the stated timing of breach, but refuse to provide an alternative timeline.
-Downplay the severity of the incident and characterize it as handled, even when they’ve only just hired an outside forensics firm.
-Say the intruders deployed a “zero-day attack,” and then refuse to discuss details of said zero-day.
-Claim the IoCs you’re sharing with affected clients were discovered by you when they weren’t.

WHAT DID THE ATTACKERS DO?

The criminals responsible for breaching Wipro appear to be after anything they can turn into cash fairly quickly. A source I spoke with at a large retailer and Wipro customer said the crooks who broke into Wipro used their access to perpetrate gift card fraud at the retailer’s stores.

I suppose that’s something of a silver lining for Wipro at least, if not also its customers: An intruder that was more focused on extracting intellectual property or other more strategic assets from Wipro’s customers probably could have gone undetected for a much longer period.

A source close to the investigation who asked not to be identified because he was not authorized to speak to the news media said the company hired by Wipro to investigate the breach dated the first phishing attacks back to March 11, when a single employee was phished.

The source said a subsequent phishing campaign between March 16 and 19 netted 22 additional Wipro employees, and that the vendor investigating the incident has so far discovered more than 100 Wipro endpoints that were seeded with ScreenConnect, a legitimate remote access tool sold by Connectwise.com. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.

Additionally, investigators found at least one of the compromised endpoints was attacked with Mimikatz, an open source tool that can dump passwords stored in the temporary memory cache of a Microsoft Windows device.

The source also said the vendor is still discovering newly-hacked systems, suggesting that Wipro’s systems are still compromised, and that additional hacked endpoints may still be undiscovered within Wipro.

Wipro has not yet responded to follow-up requests for comment.

I’m sure there are smart, well-meaning and capable people who care about security and happen to work at Wipro, but I’m not convinced any of those individuals are employed in leadership roles at the company. Perhaps Wipro’s actions in the wake of this incident merely reflect the reality that India currently has no laws requiring data owners or processors to notify individuals in the event of a breach.

Overall, I’m willing to chalk this entire episode up to a complete lack of training in how to deal with the news media, but if I were a customer of Wipro I’d be more than a little concerned about the tone-deaf nature of the company’s response thus far.

As one follower on Twitter remarked, “openness and transparency speaks of integrity and a willingness to learn from mistakes. Doing the exact opposite smacks of something else entirely.”

In the interests of openness, here are some indicators of compromise that Wipro customers are distributing about this incident (I had to get these from one of Wipro’s partners as the company declined to share the IoCs directly with KrebsOnSecurity).

How to Reverse Malware on macOS Without Getting Infected | Part 3

In the first part of our tutorial on macOS malware reverse engineering skills, we found the unpack.txt file containing encrypted code in the Resources folder. In Part 2, we went on to examine the main executable using static analysis techniques to learn more. As a result, we found a method in the binary called “encryptDecryptOperation:”. That looks a likely candidate for where the code in the text file might be read into memory.

It’s time to run our sample in our isolated VM in a controlled manner so that we can examine it at any point of our choosing. In particular, we want to read the encrypted string in the unpack.txt file in clear text to see how it contributes to our understanding of this malware’s behavior.

image of macOS isolated virtual machine

How to Run Malware Blocked by Apple

In order to run our malware, we’re going to have to first make sure that it hasn’t been blocked by Apple’s Gatekeeper or XProtect features. You can check whether Gatekeeper has flagged a file by listing the extended attributes on the command line. We do that by passing the -l flag and the file path to the xattr utility.

$ xattr -l UnPackW

If that returns a result containing com.apple.quarantine, then the file will be subject to any restrictions imposed by the local Gatekeeper policy (as set either in System Preferences > Security tab or via spctl and stored in /var/db/SystemPolicy).

com.apple.quarantine: 0083;5caf3e68;Safari;5FFF1FBA-3A55-4647-8280-DBB57E3FC8A1

Gatekeeper will also pass the file to XProtect for checking to see if it’s known to Apple’s malware rules. These checks are in place to help keep users safe, but in our case we don’t want the OS to block our sample. Since our executable is likely to call other files in the bundle including, we hope, the unpack.txt file in the Resources folder, it’s best to remove the quarantine bit from the entire bundle rather than just the executable. To remove the extended attribute and bypass both Gatekeeper and XProtect, simply pass the -rc flags and then the file path to xattr.

$ xattr -rc ~/Malware/UnPackNw.app

How to Use LLDB to Examine Malware

At last, we’re ready for the fun part. Let’s get into some dynamic analysis! To do that we use lldb, the low-level debugger, which you installed at the very beginning of this tutorial when we set up the command line tools in Part 1.

Open a Terminal session and change to the “MacOS” directory of the UnPackNw.app bundle.

$ cd ~/Malware/UnPackNw.app/Contents/MacOS

We’re going to use lldb in interactive mode, so start by calling the tool without any arguments:

$ lldb

You’ll see the usual command line prompt that ends with the $ symbol replaced by (lldb), indicating that we’ve entered interactive mode. The next step is to tell the debugger which file we want to attach to using its file command. Note that this is a command within lldb itself and is unrelated to the file utility we used earlier in the tutorial.

(lldb) file UnPackNw

Compare the output of the file utility with that of the command from lldb in the image below.

image of starting lldb debugger interactive mode

Now that we’ve told the debugger which file we want to attach to, we don’t have to keep passing the file name with any further commands we issue within our interactive session.

The next step is to launch the malware, but we don’t want to just fire the whole thing off and let it do what it wants. We need to control the execution, and we do that by using the process command. Let’s just take a step back and see what that does:

(lldb) help process

You’ll see the help output for the process command and its various subcommands. Let’s dig deeper. We’re going to use the launch subcommand with the -s option. Type:

(lldb) help process launch

You’ll see an explanation of what each option does. When we pass the launch subcommand to process with the -s subcommand option, it launches the executable and attempts to suspend execution when it hits the program’s first function entry point.

image of program entry point

The first entry point should be dyld_start, which is when the dynamic linker starts loading any libraries the malware relies on before getting to the binary’s own code (recall from Part 2 that we can list dependent libraries with otool -L).

However, some malware tries to disguise it’s true entry point, and other malware tries to prevent you from attaching a debugger with a variety of tricks, which you may need to work around.

Launching a Process in LLDB

Let’s try it out and see what happens (reminder: of course, you are doing this in your isolated VM that we set up in Part 1!).

(lldb) process launch -s

image of low level debugger process launch

Great! We’ve stopped at the beginning of code execution, dyld_start, as expected. Now, let’s set a breakpoint on a method we’re interested in. Note that the method is possibly misspelled, so be sure to type it exactly as it appears in the code (no autocorrect thanks!).

(lldb) breakpoint set -n "+[EncodeDecodeOps enncryptDecryptString:]"

image of low level debugger first breakpoint

Check that you receive a confirmation that the breakpoint has been set correctly at a given address. If you see a message like “no locations (pending)” or any other warning, check your typing and try again. There are many ways to set breakpoints in lldb, including using regex, but for now you’ll want to go the long way around until you’re more confident about what you’re doing. If you accidentally set a breakpoint that you don’t want, you can use breakpoint delete or the abbreviated version br del to delete all your breakpoints and start over (you can delete breakpoints individually, too, but I’ll leave that as an exercise for the reader).

With our breakpoint successfully set, we need to type either continue or just the letter c to tell the debugger to resume execution until it hits our breakpoint.

image of low level debugger resuming

We’ve stopped at the entry to the function. Let’s see a bit more of the disassembly so we can orient ourselves.

(lldb) disassemble

Scroll back up to the start of the output (command+arrow-up on the keyboard) . You’ll see the right-facing arrow in the left margin pointing at the address where we’re currently parked.

image of using disassemble in the low level debugger

You should recognise this code from the static analysis. Let’s scroll down to where we see “initWithString:”.

image of initWithString method

That looks like the method where the code will create a new plain-text string from the encrypted code in unpack.txt. We can tell that because it occurs just before the final call to return from the function, and we are supposing that the purpose of this function is precisely to return the decrypted string.

Let’s find out if we are right. We’ll set another breakpoint directly on the address where “initWithString:” is moved into the rdi register, 0x100003d10, and then resume. I’ll use an abbreviated syntax this time to save you some typing:

(lldb) br s -a 0x100003d10
(lldb) c

image of setting a breakpoint on an address

How to Read Registers in LLDB

Once again, the debugger halts execution at our breakpoint, right on the address we specified. We’re almost there, but to see our decrypted string, we need to learn how to read registers and how to print them out.

The first step is simple enough. Let’s dump all the registers in one go.

(lldb) register read

image of register read command

As we’re dealing with 64-bit architecture, all our general registers begin with “r”: rax, rbx, rcx, and so on.

When you’re trying to read method names and arguments, the two registers of immediate interest are usually rdi and rsi. The first should hold the name of the class being invoked while the second should actually give us the first argument. Notice from the earlier screenshots how rsi is loaded up right before rdi in the disassembly. Since we already know that we’re dealing with an NSString creation in rdi, let’s have a look directly at what argument is being passed to “initWithstring:” via rsi.

When we want to print or refer to the registers within lldb, we have to prepend them with a $ sign. We use “po”, a shortcut for the expression -O command, to print out the contents of the register as an object.

(lldb) po $rsi

image of the decrypted string in memory

Bingo! Now we see the encrypted string from the unpack.txt file finally revealed. It turns out to be a shell script that downloads a zip file to a temp directory. The man page for mktemp tells us that the string of “X” characters produces a random directory name of the same length. The script then unzips and launches the downloaded application and passes it the argument s on launch.

At this point, if you’d like to continue execution without jumping to another breakpoint, you could tell lldb to advance to the next instruction with the next command, and keep on inspecting the disassembly and registers in the same way to fully reveal the rest of the malware’s behaviour.

How to Exit the LLDB Debugger

If you want to let the malware just play out the rest of its behaviour, use continue again in the debugger. Since we haven’t set any more breakpoints, it’ll either complete its execution or stop on a further call to the decrypt method.

If you don’t want the malware to continue and feel that you’ve seen enough, you can kill the process with process kill. You can exit the low-level debugger with the quit command.

Next Steps with macOS Reverse Engineering

If you let the malware run (and assuming the server it’s trying to contact is still active), you can go down the rabbit hole with this one and start reverse engineering the downloaded porcupine.zip, too. The more you practice the easier it becomes!

Heads up: as it turns out, the porcupine.zip contains a piece of malware recognized by Apple’s MRT tool that we’ve mentioned before.

image of virus total results for porcupine zip

As you continue to practice these skills, you’ll also likely need some extra resources. Aside from the many links in this series, consider taking a look at this book for a longer, in-depth tutorial on lldb. One of my favorite tools for taking the pain out of binary analysis is radare2 and the suite of tools that come with it like rabin2, rax2 and radiff2. Bonus: radare2 & friends are all free, and there’s even a free GUI front-end, Cutter, for those who don’t like the command line! Among the commercial offerings, Hopper is probably the most widely-used among professional macOS reverse engineers.

Conclusion

In this series of posts, we’ve learned how to set up a safe environment to test macOS malware and how to use static analysis and dynamic analysis to reverse engineer a Mach-O binary. In this final part, we learned how to execute code in a controlled manner, set up breakpoints and read CPU registers. That’s quite a lot we’ve packed in to these three short posts, but we’ve barely scratched the surface of this deep and fascinating topic.

If this was your first foray into macOS malware reverse engineering, hopefully it has given you a taste to explore further. We’d love to continue posting more advanced tutorials on macOS malware reverse engineering, so if you’d like to read more posts on this topic, please share this series with others, follow the blog, or connect with us on Twitter, FaceBook or LinkedIn to let us know!


Like this article? Follow us on LinkedInTwitter, YouTube or Facebook to see the content we post.

Read more about macOS Security

Enterprise events management platform Bizzabo scores $27M Series D

Bizzabo, the New York and Tel Aviv-based events management platform, has raised $27 million in Series D funding. Leading the round is Viola Growth, along with new investor Next47.

We’re also told that previous backers, including Pilot Growth, followed on. The new funding brings the total raised by the company to $56 million.

Originally launched in 2012 as a networking app for event attendees, Bizzabo now claims to be the leading end-to-end “Event Success Platform.” As it exists today, one way to describe the cloud-based software is akin to “Salesforce for events”: helping enterprises create, manage and execute every aspect of a live event.

As TechCrunch’s Catherine Shu previously wrote, the SaaS automates time-consuming event tasks related to email, social media and web marketing, and contact management.

There’s an increasing data play, too, with the ability to crunch and analyse event data to help event organisers garner more registrations, increase revenue and improve the overall attendee experience.

“Our vision is to provide a data-driven and personalized journey for attendees,” Bizzabo CEO and co-founder Eran Ben-Shushan tells me. “An 800-person conference should feel like 800 unique in-person event experiences. By leveraging hundreds of data points throughout the attendee journey, our customers can deliver extremely personalised promotion campaigns, custom-tailor the event agenda and proactively cater to each attendee action.”

As an example, Ben-Shushan says an attendee at a user conference can receive recommended sessions, business introductions and even sponsored offers based on interest and intent expressed before, during and after the event.

To that end, Bizzabo says its Series D will be used to expand the platform’s capabilities and continue to help enterprise and mid-market organizations “build data-driven, personalized and engaging professional event experiences.” That will include growing its R&D and own marketing teams, adding to the more than 120 current employees in its New York and Tel Aviv offices.

Ben-Shushan reckons that on average 25 percent of a B2B company’s marketing budget is spent on live events. This has resulted in the number of professional events increasing exponentially each year, such as conferences and seminars, trade shows or other experiences.

However, it remains a challenge to create, manage, market and measure the success of events while maximizing ROI — which is where Ben-Shushan says Bizzabo comes in.

Bizzabo’s better-known customers include Inbound, SaaStr, Forbes, Dow Jones, Gainsight and Drift. Meanwhile, the event management space as a whole is said to be worth $500 billion.

Airbase launches with $7M Series A to simplify spending control systems

Airbase is a startup with a plan to change the way you think about accounting around spending. Instead of multiple workflows, it wants to create a simpler one involving, well, Airbase. It’s a bold move for any startup to take on something as entrenched as financials, but it’s giving it a shot, and today the company launched with a $7 million Series A investment.

First Round Capital was lead investor. Maynard Webb, Village Global, BoxGroup and Quiet Capital also participated. The deal closed at the end of November last year. This is the first external funding for the company, which company founder and CEO, Thejo Kote had bootstrapped previously with $300,000 of his own money.

“At a high level, Airbase is the first all-in-one spend management system. It replaces a number of different systems that companies use to manage how they spend money,” Kote told TechCrunch.

He knows of what he speaks. Prior to starting this company, Kote co-founded Automatic, a startup that he sold to SiriusXM for more than $100 million in 2017. As a founder, he saw just how difficult it was to track the vast variety of spending inside a company from supplies to subscriptions to food and drink.

“Think about the hundreds of things that companies spend money on, and the way in which the management of that happens is a pretty broken process today,” he said. For starters, it usually involves some sort of approval request in a tool like Slack, Jira or Google forms.

Once approved, the person requesting the expense will put that on a company credit card, then have to submit expense reports at the end of each month using a tool like Expensify. If you purchase from vendor, then that involves an invoice and that has to be processed and paid. Finally it would need to be reconciled and accounted for in accounting software. Each step of this process ends up being time-consuming and costly for an organization.

Kote’s idea was to take this process and streamline it by removing the friction, which he saw as being related to the disparate systems in place to get the work done. He believed by creating a single workflow on a unified, single platform he could create a smoother system for everyone involved.

He is putting that single system in between the bank and the accounting system including a virtual Airbase Visa card to take the place of physical cards. Request for spending happens inside Airbase instead of an external tool. When the virtual card gets charged, bookkeeping and reconciliation gets handled in Airbase and pushed to your accounting package of choice.

Airbase workflow. Diagram: Airbase

This could be a difficult proposition for companies with existing systems in place, but could be attractive to startups and small companies whose accounting systems have not yet hardened. Perhaps that’s why most of Airbase’s customers are startups or SMBs with between 500 and 5000 employees, such as Gusto, Netlify and Segment.

Bill Trenchard, General Partner at lead investor First Round Capital says he has seen very little innovation in this space and that’s what drew him to Airbase. “Airbase has taken a bold step forward to create an entirely new paradigm. It delivers a real solution to the biggest problems finance teams face as their companies grow,” Trenchard said in a statement.

The company was founded in 2017 and has 22 employees today. It has a sales office in San Francisco, but other employees are spread across four countries.