How Scattered Spider Used Fake Calls to Breach Clorox via Cognizant
Summary:
Clorox is suing its IT services partner, Cognizant, alleging negligence led to a devastating $380 million ransomware attack in August 2023 that caused severe operational disruption. The lawsuit claims the Scattered Spider group gained initial access by tricking Cognizant's service desk into resetting passwords and MFA for seemingly legitimate Clorox employees, bypassing regular detection opportunities. The threat actor made multiple calls to the service desk, and Clorox states that protocols to verify the caller’s identity were bypassed. The hackers then made a second attempt, gaining access to a second account belonging to an IT security employee. This initial compromise escalated to domain-admin privileges, allowing the attackers to disable security controls, deploy ransomware, and disrupt Clorox's production and distribution systems, resulting in significant financial losses and remediation expenses.
Security Officer Comments:
This incident underscores the continuous threat posed by vishing attacks that lead to post-exploitation activities, particularly against third-party services like IT service desks. The Clorox breach, now publicly attributed to Scattered Spider, highlights how a seemingly low-sophistication tactic like a simple password reset scam can escalate to full domain compromise and catastrophic operational impact when fundamental security controls, such as identity verification and robust escalation procedures, are bypassed. This mirrors previous incidents involving Scattered Spider against other organizations, emphasizing the refinement of their proven tactics. Organizations may find it helpful to prioritize stringent Service Level Agreements, multi-factor authentication for all critical resets, conducting consistent red-teaming of outsourced processes, and restricting service desk permissions to help prevent single-point-of-failure compromises of privileged accounts. The financial and operational fallout for Clorox serves as a reminder that humans are an unavoidable vulnerability to organizations if left unaddressed, which can lead to devastating consequences that could far outweigh any perceived cost savings from outsourcing.
Suggested Corrections:
https://hackread.com/how-scattered-spider-fake-calls-breach-clorox-cognizant/
https://specopssoft.com/blog/clorox-password-social-engineering/
Clorox is suing its IT services partner, Cognizant, alleging negligence led to a devastating $380 million ransomware attack in August 2023 that caused severe operational disruption. The lawsuit claims the Scattered Spider group gained initial access by tricking Cognizant's service desk into resetting passwords and MFA for seemingly legitimate Clorox employees, bypassing regular detection opportunities. The threat actor made multiple calls to the service desk, and Clorox states that protocols to verify the caller’s identity were bypassed. The hackers then made a second attempt, gaining access to a second account belonging to an IT security employee. This initial compromise escalated to domain-admin privileges, allowing the attackers to disable security controls, deploy ransomware, and disrupt Clorox's production and distribution systems, resulting in significant financial losses and remediation expenses.
Security Officer Comments:
This incident underscores the continuous threat posed by vishing attacks that lead to post-exploitation activities, particularly against third-party services like IT service desks. The Clorox breach, now publicly attributed to Scattered Spider, highlights how a seemingly low-sophistication tactic like a simple password reset scam can escalate to full domain compromise and catastrophic operational impact when fundamental security controls, such as identity verification and robust escalation procedures, are bypassed. This mirrors previous incidents involving Scattered Spider against other organizations, emphasizing the refinement of their proven tactics. Organizations may find it helpful to prioritize stringent Service Level Agreements, multi-factor authentication for all critical resets, conducting consistent red-teaming of outsourced processes, and restricting service desk permissions to help prevent single-point-of-failure compromises of privileged accounts. The financial and operational fallout for Clorox serves as a reminder that humans are an unavoidable vulnerability to organizations if left unaddressed, which can lead to devastating consequences that could far outweigh any perceived cost savings from outsourcing.
Suggested Corrections:
- Maintain strict SLAs that codify verification protocols
- Conduct frequent red team exercises on outsourced processes
- Require transparent, real-time reporting of all high-risk activities
https://hackread.com/how-scattered-spider-fake-calls-breach-clorox-cognizant/
https://specopssoft.com/blog/clorox-password-social-engineering/