Data breaches at Access Aggregators

As cybercrime adapts to general business circumstances, a likely trend is the targeting of service providers who look after access control for other businesses. As small businesses look for support in moving to the cloud, many cloud solution providers are springing up to act as middle-men between the business and the cloud providers like AWS and Microsoft.

These Cloud Solution Providers generally will do all of the IT admin work associated with cloud access and provisioning, making them a great target for cyber criminals who want to get inside those smaller businesses.

Target Breach 2013

The target breach in 2013 was as a result of a phishing attack on a small HVAC business. By using credentials provided to this small business, the attackers were able to gain access to Targets internal network via a poorly defended third-party portal that was designed to allow easy Purchase Order/Invoicing communications.

Many small businesses have similar third party access to much larger companies that they do business with. So attacking an access aggregator makes a lot of sense. Clearly AWS is also an access aggregator. Arguably the largest such aggregator. But AWS and all the other major cloud providers spend a huge amount of money on cyber defence. They are also home to lots of security professionals who know what they are doing.

A much easier set of targets are the cloud solution providers who see a market opportunity to provide a service to small businesses, but maybe don’t have the resources or the will, to implement security controls at an appropriate level for the business risk they are carrying.

Wipro and PCM Inc

The breach at Wipro reported by Brian Krebs, has similarities with a second breach at PCM Inc (also reported by Brian here). Both attackers seem to have been targeting retail gift cards. Which is either an incredible coincidence or something more indicative of a connection between the two attacks.

Retail gift cards seems an incredibly random thing to be going after, given the administrative access available to the attackers once they had compromised these business networks.

Trust Issues

The problem with giving your keys to someone else, is that you are trusting that entity to secure them appropriately.

A phishing attack on an access aggregator that returns administrative privileges for that aggregator, also provides a route to administrative privileges for all of their clients as well. You have access not only to all the keys of the aggregator, but also all the keys that they hold on behalf of everyone else.

The Wipro attack is a worrying case in point. Wipro’s clients include some of the biggest names in global business. They provide IT Outsourcing services to a huge number of clients.

As part of that IT Outsourcing, is a requirement for Wipro staff to have administrative privileges to their client’s networks and systems, so they can do the basic IT administrative duties.

A successful attack on Wipro potentially exposes all of their clients that have entrusted their keys to Wipro.

Wipro may not be very Pro at all

Which is why it is quite surprising how little noise there has been about this attack since the Wipro financial results call.

Graham Cluley kindly made a recording available on Twitter, of the appropriate section of that earnings call, that graphically illustrates why exposing your lack of knowledge as a senior leadership team is most probably not what you want to do with the World and its dog listening. They appeared unprepared and ignorant of the facts associated with the incident.

So what next?

It has been pretty much radio silence from Wipro since that call almost three months ago (16th April 2019). Clearly an update of the investigation is a requirement for the next quarterly call on Wednesday 17th July at 9:45am (EST), through this link.

There must be some serious conversations happening behind the scenes with major clients of Wipro, all wanting confirmation that their systems have not been exposed.

The GDPR angle

There will be lots of businesses caught up in this, that have entrusted EU resident personal data to Wipro as part of their IT Outsourcing contracts. But it doesn’t look like Wipro want to play ball with acknowledging what actually happened on their network. There is no basis in Indian law for breach notification or the rights of breach victims, but that does not release Wipro from the tentacles of the GDPR. If there is EU resident personal data in there somewhere, then the ICO can act.

One presumes that Wipro may not even hold the event logs on its systems to confirm or deny anything. It looks like the ICO should be asking Wipro a lot of very uncomfortable questions at the moment.

Clearly a lack of basic security controls by a company who provides such services as part of its Outsourcing business, should be looking at a fine towards the higher end of maximum fine territory (4% of global revenues which for Wipro stands at $8.5B x 4% = $340m)

I await with interest the next instalment of the Wipro saga. Updates after Wednesdays call.

Leave a Comment

Your email address will not be published. Required fields are marked *