A Wipro security incident involving an advanced, persistent phishing campaign has brought additional attention to MSP vulnerabilities; more news from the week.
Wipro, a global consulting, integration and managed services provider, this week acknowledged a security incident, a development that illustrates the threat environment MSPs currently face.
The Wipro security incident was first reported on the Krebs on Security website. Wipro executives later discussed the event during the $8.5 billion company’s fiscal fourth-quarter conference call. Bhanumurthy B.M., chief executive of application services and strategic alliances at Wipro, said the company became aware of “potentially abnormal activity within our network that involved a few of our employee accounts.”
In the Wipro incident, an MSP software tool may have been used by the cyberattackers. Krebs on Security, citing an anonymous source, reported the intruders used ConnectWise’s ScreenConnect remote access tool (now known as ConnectWise Control) “to connect remotely to Wipro client systems.”
Officials at Wipro couldn’t be reached for comment on that reported aspect of the security incident.
Jeff Bishop, ConnectWise’s chief product officer, said ConnectWise Control and similar products are typically used by IT teams to remotely fix issues and apply updates, but added “malicious actors … utilize remote control products in scams to exploit a consumer or company through misrepresentation, network vulnerabilities or phishing.”
Bishop said ConnectWise works to “prevent the misuse of our products in these scenarios through online training, educational material, and by implementing AI to help us look for bad actors in our community. When detected or reported, we will work with the appropriate authorities to assist them to take action against these malicious actors.”
An attack scenario exploiting typical MSP tooling is on track with a warning US-CERT, the Department of Homeland Security’s Computer Emergency Readiness Team, issued in October 2018. At the time, US-CERT said attackers are using “trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks.”
In addition, a penetration test that Infogressive, a managed security services provider (MSSP) based in Lincoln, Neb., conducted at one of its MSP customers revealed vulnerability to phishing, social engineering and the potential for cybercriminals to access remote monitoring and management (RMM) systems. The MSSP launched a phishing attack to obtain credentials and used them to get onto the MSP’s VPN. From there, the testers were able to obtain access to the MSP’s RMM tool.
Commenting on the Wipro security incident, Justin Kallhoff, CEO at Infogressive, said ScreenConnect should have a multi-factor authentication method enabled if it is an administrative tool. He said stolen credentials shouldn’t imperil administrative-level access at large enterprises, noting that such companies can avail themselves of privileged access management offerings from vendors such as BeyondTrust, CyberArk and Thycotic.
Kallhoff said the phishing attack also raises questions.
“I would be interested in the initial phishing message and what techniques were used in it to bypass a solid email gateway that is configured correctly and combined with a sandboxing mechanism,” he said.
Saryu Nayyar, CEO at Gurucul, a cybersecurity company in El Segundo, Calif., suggested cases like Wipro point to the need for a holistic view of user and device activity.
“Account compromise attacks like this one at Wipro resemble an insider threat from a detection standpoint,” she said in a statement. “Therefore, unless an organization is monitoring the entire system stack, they won’t be able to identify subtle behavior anomalies that are indicators of account compromise. Since hackers will exploit whatever accounts they can successfully compromise to break into the organization including user accounts, system accounts [and] service accounts … it’s critical to actively monitor not just user activity, but also device and identity behavior.”
Bhanumurthy, meanwhile, said Wipro has identified and isolated the affected employee accounts and has initiated remedial steps to contain the incident and mitigate its potential effects. He said Wipro is using its own cybersecurity practices and its partner ecosystem as it pursues those steps.
Rackspace sees Google Cloud uptake around Service Blocks
Large enterprises are tapping Rackspace’s Service Blocks, modular public cloud services, as they adopt Google Cloud Platform (GCP).
Rackspace, an IT-as-a-service provider based in San Antonio, launched managed services around the Google Cloud in late 2017. The Service Blocks offerings emerged in October 2018. Service Blocks covers areas such as architecture, deployment, operational support, costs optimization and complex cloud operations. Blocks are packaged for AWS, Microsoft Azure and Alibaba, as well as GCP.
Prashanth Chandrasekar, senior vice president and general manager of cloud and infrastructure services at Rackspace, recently provided an update on the company’s managed GCP business. He said large customers at differing levels of maturity on their cloud journeys are purchasing GCP services, as well as services for other public clouds, in a modular fashion. He said such Service Blocks customers gravitate toward the flexibility and agility they provide.
“That is really what is resonating with large GCP customers,” Chandrasekar said.
He noted that smaller organizations have also been purchasing managed GCP services over the past 18 months.
Chandrasekar’s vision is to enable customers to use a combination of Service Blocks to solve problems across clouds, extending “this concept for managed public clouds to be even more hybrid in nature.”
Google’s technology plays into this hybrid thinking. Chandrasekar said Google has taken on hybrid clouds earlier and in a more aggressive way than other cloud platform providers, noting the company’s open source philosophy. In addition, Google’s recently debuted Anthos, which lets customers deploy and manage applications on GCP and third-party cloud platforms, fits into the company’s multi-cloud and hybrid-cloud approach, he noted. Rackspace is one of Google’s Anthos launch partners.
Anthos has plenty of potential, Chandrasekar said, but noted that customers will not be deploying it overnight. “Customers are looking to leverage it in a way that makes sense,” he said.
External Link: Wipro security incident underscores MSP vulnerability