IT provider sued after it simply 'handed the credentials' to hackers — Clorox claims Cognizant gaffe enabled a $380m ransomware attack

News
By published

Your network security is only as strong as its weakest link.

hacker in front of computer
(Image credit: Shutterstock)

Popular bleach brand Clorox filed a case against Cognizant, its IT provider, after the company discovered that the latter had simply given away access credentials to hackers posing as employees. According to an NBC News Report, this breach allowed Scattered Spider, a hacking group that targets company service desks, to infect Clorox with ransomware in August 2023. This IT support gaffe allegedly resulted in around $380 million worth of damage and disruption for Clorox.

Cognizant manages Clorox's internal networks, and employees who have issues with their passwords, multi-factor authentication (MFA) codes, and VPNs must coordinate with the IT provider to regain access to their system. However, Clorox alleges that the Cognizant Service Desk gave access passwords without verifying the identity of the caller. Such action would contradict the policies that have been set in place to prevent unauthorized personnel from gaining access, which Ars Technica says include an internal verification and self-reset password tool. In case the user does not have access to this, Cognizant must check their identity by asking for their manager’s name and their username. This would reset their password, but it will also email the employee and their supervisor to help ensure some level of security.

Low-effort social engineering win for the cyber criminals

Unfortunately, this did not happen in several instances. Instead, Cognizant staff simply handed over the passwords without confirming the identity of the caller, it is claimed. One partial call transcript provides evidence of this, with the alleged hacker telling the Cognizant employee, “I don’t have a password, so I can’t connect.” They then replied without hesitation, “Oh, ok. Ok. So, let me provide the password to you, okay?”

Assuming the identity of authorized personnel is one of the most basic social engineering attacks, which is why many IT companies deploy several measures against it. However, it seems that Cognizant’s employees were too trusting and violated protocol, potentially leading to millions of dollars in losses for Clorox. This goes to show that no matter how robust and sophisticated your cybersecurity is, it can always be breached at its weakest point.

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” the lawsuit asserts. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.”

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

Jowi Morales
Jowi Morales
Contributing Writer

Jowi Morales is a tech enthusiast with years of experience working in the industry. He’s been writing with several tech publications since 2021, where he’s been interested in tech hardware and consumer electronics.

23 Comments Comment from the forums
  • Vanderlindemedia
    I've seen a DDOS happen, and the individual who was doing it message the site owner. "I can fix it" "I just need the login to your website" ...
    Reply
  • ianbalgas
    What could possibly go wrong with outsourcing your IT department to poorly trained, low-wage, nonlocal workers?
    Reply
  • SomeoneElse23
    ianbalgas said:
    What could possibly go wrong with outsourcing your IT department to poorly trained, low-wage, nonlocal workers?
    Isn't that what the whole offshore movement is about?

    I don't think corps care.
    Reply
  • ingtar33
    ianbalgas said:
    What could possibly go wrong with outsourcing your IT department to poorly trained, low-wage, nonlocal workers?
    too many CFOs don't see the value in local IT support. they see the IT department as a financial drain with no benifit to making money. Completely ignorant to the fact their whole business depends on computers and if the network goes down their whole business grinds to a halt.

    I had one of those at my current employer. thankfully he's gone now but it was miserable working under the old one.
    Reply
  • Thunder64
    Were the passwords stored in plain text? Or did they "eset it to something they then knew?
    Reply
  • USAFRet
    Thunder64 said:
    Were the passwords stored in plain text? Or did they "eset it to something they then knew?

    Did none of you read the writeup?

    One partial call transcript provides evidence of this, with the alleged hacker telling the Cognizant employee, “I don’t have a password, so I can’t connect.” They then replied without hesitation, “Oh, ok. Ok. So, let me provide the password to you, okay?”

    There was no 'hack', no 'inside job'.
    Simple social engineering.....
    "Hi, I'm Fred, from the Winnipeg office. My password doesn't work, and I can't connect."
    'OK, here ya go.'
    Reply
  • Thunder64
    USAFRet said:
    Did none of you read the writeup?



    There was no 'hack', no 'inside job'.
    Simple social engineering.....
    "Hi, I'm Fred, from the Winnipeg office. My password doesn't work, and I can't connect."
    'OK, here ya go.'

    But how could he look up said password? Was it not hashed?
    Reply
  • USAFRet
    Thunder64 said:
    But how could he look up said password? Was it not hashed?
    He did not look up anything.
    Literally - "“I don’t have a password, so I can’t connect.”
    Reply
  • tamalero
    Thunder64 said:
    But how could he look up said password? Was it not hashed?
    I do not think you understand what the process was.

    Hackers posed as Clorox staff
    They called the IT company Cognisant or whatever their name was.
    cognisant provided via phone one critical password.
    And that was all that was needed.
    There was no "hacking" as in the process of attacking a table or database.
    Reply
  • Thunder64
    tamalero said:
    I do not think you understand what the process was.

    Hackers posed as Clorox staff
    They called the IT company Cognisant or whatever their name was.
    cognisant provided via phone one critical password.
    And that was all that was needed.
    There was no "hacking" as in the process of attacking a table or database.

    I don't understand and still seem to be missing it. How did Cognizant know the password to begin with? They should only allow a user to reset their password.
    Reply