Product Exec: Wipro Breach Appears To Be 'Legitimate Use' Of ConnectWise Control
ConnectWise Chief Product Officer Jeff Bishop says the KrebsOnSecurity report about the Wipro breach doesn’t seem to indicate that the ConnectWise Control product was hacked or accessed improperly.
ConnectWise Chief Product Officer Jeff Bishop told CRN that a highly publicized breach of IT outsourcing behemoth Wipro appears to be a "legitimate use" of the ConnectWise Control remote support and remote access tool.
"Something like what was described sounds a lot like legitimate use," said Bishop, who was previously vice president of ConnectWise Control. "Deploying agents within a company, logging in and getting connected to machines, and performing activity on those machines— that's kind of what remote control is designed to do. That would potentially look like legitimate use."
Bishop said his understanding of the Wipro breach is that the Control product wasn't hacked or accessed improperly. Instead, Bishop said the hackers were supposedly authenticating through a legitimate instance of the remote control machine.
[Related: Wipro Hackers Also Went After Seven Other Solution Provider Giants: Report]
Specifically, Bishop said the reports indicate somebody gained access to Wipro's network and was able to deploy agents without having to contact, inform or ask anyone. In order to deploy an agent on a machine, Bishop said, the adversary would either need to have full access to the network, or contact the person sitting on the machine and convince them to install the agent.
"It's no different from what an MSP does for a client," Bishop said. "They gain access to a network and they deploy agents so that they can remotely view and control devices."
KrebsOnSecurity—which first broke the story on the Wipro breach—reported that the ConnectWise Control remote support and remote access tool (formerly ScreenConnect) had been used to take control of more than 100 Wipro endpoints as part of an advanced phishing campaign that was used to capture customer data as part of gift card fraud exploit.
The hackers were believed to be using ConnectWise Control on the hacked Wipro systems to connect remotely to Wipro client systems, KrebsOnSecurity reported. From there, the hackers capitalized on their position to obtain further access into Wipro customer networks, according to KrebsOnSecurity.
This is similar to allegations made by rewards program management firm Maritz Holdings in a May 2018 lawsuit against IT service provider Cognizant.
In that case, Maritz Holdings alleged that attackers had used ConnectWise Control as part of a cyberattack in spring 2016 and accessed computers belonging to Maritz employees in spring 2017. Cognizant didn’t respond to a request for comment.
As for the Wipro breach, Bishop said reports seem to indicate that an on-premises version of ConnectWise Control was installed inside the network with agents deployed by the adversary to gain access to Wipro.
ConnectWise has limited access and information about how the on-premises version of Control is being used beyond potentially knowing who purchased a product license from the vendor, Bishop said.
However, Bishop said an individual user signing up for ConnectWise Control could deliberately provide inaccurate information to hide their identity. The product is used by both VARs and MSPs as well as internal IT departments, Bishop said, and can be purchased online by anyone.
ConnectWise uses machine learning to look for anomalies in Control such as unorthodox naming conventions, someone misusing a case of Microsoft, or IP addresses coming from other countries at odd times, Bishop said.
Once an unusual occurrence is detected within ConnectWise's own reporting, Bishop said the company would dig in to determine whether or not Control was being used legitimately.
Since putting the machine learning in place years ago, Bishop said ConnectWise has been able to knock down between a dozen and two dozen potential scammers or malicious users daily. Many of these bad actors are people who signed up online for a trial version of Control, according to Bishop.
Stopping a threat actor from deploying unwanted agents is more about network security than the features and functions of a particular remote control product, Bishop said. Adversaries would have to physically be inside a network or have gained access or permissions for that environment in order to be able to deploy agents on a machine, according to Bishop.
"It sounds more like somehow, somebody gained illegal access to a company's environment, deployed agents from a remote control product onto those devices, and took advantage of that," Bishop said. "It seems like someone utilized the product [ConnectWise Control] to perform a malicious activity."
Wipro is not commenting on whether or not ConnectWise Control was used during the breach. ConnectWise, for its part, confirmed that Wipro is not a ConnectWise customer.
Beyond that, ConnectWise said it cannot comment on whether "we have or have not communicated with a company that has potentially been hacked or with a company that has confirmed they have been hacked."
Bishop said he was first made aware of the reported use of ConnectWise Control as part of the Wipro hack by KrebsOnSecurity as well as several other mentions of the supposed activity in online forums and communities.
ConnectWise treats news articles about a potential security event in a similar manner to reports of malicious activity by a potential victim or law enforcement, Bishop said.
In instances like this, Bishop said ConnectWise would do a deep dive to collect information and learn what it can about the supposed incident, and then share the information with proper authorities if the company is legally able to do so.
"If some sort of security incident occurs with our product, we take it very seriously and we investigate to see what we can find," Bishop said.