A recent analysis reveals how Scattered Spider’s persistent help desk exploitation cost Clorox $400 million. The analysis reveals Clorox’s operational disruption, and critical steps organizations must take to protect against similar social engineering threats. The cleaning products giant Clorox has sued its IT services partner, Cognizant, alleging that a devastating August 2023 ransomware attack that crippled production and cost the company $380 million in lost revenue was due to the firm’s negligence.
Cognizant is a global IT services provider, often contracted by large organizations to manage critical technology infrastructure and support functions. In the context of the Clorox security breach, Cognizant was responsible for handling IT support, including running the service desk that provided user credential management.
In a California Superior Court lawsuit, Clorox claims hackers linked to the Scattered Spider group simply obtained credentials by phoning Cognizant’s service desk for a password reset. Clorox further alleges Cognizant botched its response, prolonging the recovery time.[1]
Specops Software, which is a security analysis firm, recently published a detailed analysis of this incident, revealing precisely how this straightforward service desk attack unfolded and offering critical lessons for organizations.
According to their research, the incident began on 11 August 2023. Criminal hackers, impersonating legitimate employees, placed multiple calls to Cognizant’s service desk. Their goal was to get passwords and Multi-Factor Authentication (MFA) resets for locked-out employees.
Despite Clorox’s clear cyber security procedures, the service desk agent reportedly bypassed these protocols, failing to verify the caller’s identity and providing new credentials. Compounding the oversight, no alert emails were sent to the impersonated employee or their manager, a basic notification that could have warned Clorox’s security team.
The hackers then repeated this tactic, gaining access to a second account belonging to an IT-security employee. This instantly elevated their access to domain-admin privileges, granting them unrestricted entry to Clorox’s core Active Directory environment, which controls user access across the network.
With high-level credentials, the intruders swiftly disabled security controls, escalated their privileges further, and deployed ransomware across key servers. This silently encrypted data, severing vital links between manufacturing, distribution, and IT systems. Production lines halted, and order fulfilment ceased. Clorox reported $49 million in direct remediation expenses and a staggering $380 million in lost revenue.
The risk of outsourcing critical IT support functions, while offering cost savings, can introduce vulnerabilities. Notably, UK retailer Marks and Spencer’s faced a similar incident where Scattered Spider tricked staff at their IT helpdesk contractor, Tata Consultancy Services (TCS), into resetting privileged credentials, also gaining Active Directory access.
This incident highlights the ongoing threat posed by Scattered Spider (aka 0ktapus, UNC3944). As Hackread.com reported, this group has been involved in numerous high-profile breaches, including MGM Resorts and other major retailers.
Their persistent exploitation of help desks to target VMware vSphere environments for ransomware deployment directly from the hypervisor to the Clorox incident shows that simple human vulnerabilities, if unaddressed, can lead to monumental financial and operational devastation.
To mitigate these risks, organizations must enforce strict Service Level Agreements (SLAs) with contractors, conduct regular red team exercises (simulated attacks) on outsourced processes, and demand transparent, real-time reporting of high-risk activities. Crucially, service desk permissions should be locked down to prevent agents from resetting admin or IT-privileged accounts without secondary approval workflows.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://hackread.com/how-scattered-spider-fake-calls-breach-clorox-cognizant/
Comments