The alleged Wipro network breach continues to earn headlines. And for good reason. The apparent breach of the major IT solutions provider ultimately extended out to customer systems to conduct gift card fraud. Moreover, similar attacks apparently targeted Infosys and Cognizant, according to KrebsOnSecurity -- the go-to source on these alleged attacks.
MSPs are familiar with this type of story. The various attacks essentially targeted large MSPs and IT consulting firms, and then used the MSP's network as a sort of island hopper system to move onto customer networks for potential financial gain.
The U.S. Department of Homeland Security (DHS) has specifically warned MSPs and CSPs multiple times about such attacks and the associated risks, as we've reported on MSSP Alert, our sister site.
So, What Was Actually Breached or Hacked?
Now, here's where the MSP industry needs to be extra careful about the facts:
- On the one hand, the Wipro hackers apparently used ScreenConnect, a remote control tool, as part of the attack, according to KrebsOnSecurity.
- But just to be clear: That does not mean ScreenConnect (more recently branded as ConnectWise Control) suffered some sort of security breach or vulnerability exploit as part of this attack.
So far, Wipro hasn't said much about the attack. But if my reading of the situation is correct, the attack may have gone something like this:
- First, the hackers found or created an open door or window (or poorly secured access point) in Wipro's network.
- Once the hackers found their opening, they essentially threw a rope through that opening to climb in and out of the system at will. The rope, in this case, allegedly was a remote access tool called ScreenConnect. That doesn't mean the rope was hacked. Instead, it simply means the hackers took standard software and allegedly used it for not-so-kind purposes. The rope could have involved a lengthy list of legitimate remote control tools.
In the meantime, all the facts aren't in. Alas, Wipro has tried its best to evade KrebsOnSecurity's intense, detailed reporting. That's inexcusable. An honest, timely reply to KrebsOnSecurity's initial inquiry would have gone a long way to strengthening -- rather than weakening -- Wipro's reputation. Even a "no comment" would have been smarter than the apparently nonsensical reply Wipro initially offered Krebs.
ConnectWise Advice to MSPs
Meanwhile, it's a tricky time for ConnectWise. The company's name is associated with the Wipro story. But it's not like the software company can issue some sort of patch, fix or alert for a product that apparently wasn't hacked as part of the alleged Wipro incident. (If details emerge stating otherwise, we'll update our coverage accordingly.)
Still, there are some natural steps that MSPs should take. For starters, MSPs should embrace a Protect Your House mindset, according to ConnectWise Chief Product Officer Jeff Bishop. The idea: MSPs need to assess their own systems, pinpoint risk areas, and harden their own networks.
Also of note: If a company or individual believes that ConnectWise Control was used in an exploit or their instance has been exploited, ConnectWise encourages them to report the details of the activity on this page, according to Bishop. Also, partners can find more ConnectWise Control security guidance here.
The Bottom Line
My takeaways? No doubt, hackers will continue to target MSP-oriented software as a springboard into end-customer systems. Sometimes the attacks will involve software vulnerabilities. Other times, as I've outlined above, the attacks will involve legitimate remote control software used for illegal purposes. Consider yourself warned. Yet again.