← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Indicators from Wipro Breach
WHITE AlienVault 2019-04-18 Modified: 2019-04-18
52
IOCs
HIGH VOLUME
Wipro endpoints that were seeded with ScreenConnect, a legitimate remote access tool sold by Connectwise.com. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks. Additionally, investigators found at least one of the compromised endpoints was attacked with Mimikatz, an open source tool that can dump passwords stored in the temporary memory cache of a Microsoft Windows device.
wipro
Indicators of Compromise (52)
All URL hostname domain FileHash-MD5 FileHash-SHA1
TYPEINDICATORDESCRIPTIONCREATED
URL http://messagelab.zoominfo.com.secured-mail.online/ 2019-04-18
URL http://secure.expediagroup.com.internal-message.app/ 2019-04-18
URL http://secured-mail.internal-message.app/ 2019-04-18
URL http://securemail.wipro.com.internal-message.app/ 2019-04-18
URL https://secure.elavon.com.internal-message.app/a34fc9f417efef3c2/ 2019-04-18
URL https://secure.wipro.com.internal-message.app/a34fc9f417efef3c2/ 2019-04-18
URL https://securemail.avanade.com.internal-message.app/a34fc9f417efef3c2/ 2019-04-18
URL https://securemail.searshc.com.internal-message.app/a34fc9f417efef3c2/ 2019-04-18
URL https://secure.coinstar.com.encrypt-email.online/a34fc9f417efef3c1/ 2019-04-18
URL http://29com.secure-message.online/a34fc9f417efef281sa/ 2019-04-18
URL http://corpmail.expediagroup%28%29com.secure-message.online/a34fc9f417efef281sa/ 2019-04-18
URL http://corpmail.expediagroup.com.secure-message.online/ 2019-04-18
URL http://secure-message.online/ 2019-04-18
URL https://federation.gamestop.com.secure-message.online/ 2019-04-18
URL https://federation.gamestop.com.secure-message.online/a34fc9f417efef3c1/ 2019-04-18
URL http://outlook.wipro365.com/ 2019-04-18
URL http://secure.microsoftonline-secure-login.com/ 2019-04-18
hostname messagelab.zoominfo.com.secured-mail.online 2019-04-18
hostname secure.expediagroup.com.internal-message.app 2019-04-18
hostname secured-mail.internal-message.app 2019-04-18
hostname securemail.wipro.com.internal-message.app 2019-04-18
hostname secure.elavon.com.internal-message.app 2019-04-18
hostname secure.wipro.com.internal-message.app 2019-04-18
hostname securemail.avanade.com.internal-message.app 2019-04-18
hostname securemail.searshc.com.internal-message.app 2019-04-18
hostname secure.coinstar.com.encrypt-email.online 2019-04-18
hostname 29com.secure-message.online 2019-04-18
hostname corpmail.expediagroup%28%29com.secure-message.online 2019-04-18
hostname corpmail.expediagroup.com.secure-message.online 2019-04-18
hostname federation.gamestop.com.secure-message.online 2019-04-18
hostname outlook.wipro365.com 2019-04-18
hostname secure.microsoftonline-secure-login.com 2019-04-18
domain xsecuremail.com 2019-04-18
domain encrypt-email.online 2019-04-18
domain secured-mail.online 2019-04-18
domain secure-message.online 2019-04-18
domain internal-message.app 2019-04-18
domain encrypted-message.cloud 2019-04-18
domain wipro365.com 2019-04-18
domain microsoftonline-secure-login.com 2019-04-18
FileHash-MD5 dd5986339aaf23f2baf8c245923a0f69 2019-04-18
FileHash-MD5 e2e88d6ea5d5d2a4c7b8039988644043 2019-04-18
FileHash-SHA1 1a1db93766e31994507511c9c70a1dd94465cf6d 2019-04-18
FileHash-SHA1 ac9fc01c1284bbe9ee4ddf424216a82b5d64a42c 2019-04-18
URL http://serveresults.com/ 2019-04-18
URL http://serveresults.com/css/. 2019-04-18
URL http://serveresults.com/css/./bs.ps1.11 2019-04-18
URL http://serveresults.com/css/./indiapro.ps1.11 2019-04-18
URL http://serveresults.com/css/./reset.css 2019-04-18
URL http://serveresults.com/css/./style.css 2019-04-18
URL https://serveresults.com/css/bks.ps1 2019-04-18
domain serveresults.com 2019-04-18
References (2)
↗ https://krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt ↗ https://krebsonsecurity.com/2019/04/how-not-to-acknowledge-a-data-breach/