Latest news with #ScatteredSpider
Yahoo
2 days ago
- Business
- Yahoo
IT provider sued after it simply 'handed the credentials' to hackers — Clorox claims Cognizant gaffe enabled a $380m ransomware attack
When you buy through links on our articles, Future and its syndication partners may earn a commission. Popular bleach brand Clorox filed a case against Cognizant, its IT provider, after the company discovered that the latter had simply given away access credentials to hackers posing as employees. According to an NBC News Report, this breach allowed Scattered Spider, a hacking group that targets company service desks, to infect Clorox with ransomware in August 2023. This IT support gaffe allegedly resulted in around $380 million worth of damage and disruption for Clorox. Cognizant manages Clorox's internal networks, and employees who have issues with their passwords, multi-factor authentication (MFA) codes, and VPNs must coordinate with the IT provider to regain access to their system. However, Clorox alleges that the Cognizant Service Desk gave access passwords without verifying the identity of the caller. Such action would contradict the policies that have been set in place to prevent unauthorized personnel from gaining access, which Ars Technica says include an internal verification and self-reset password tool. In case the user does not have access to this, Cognizant must check their identity by asking for their manager's name and their username. This would reset their password, but it will also email the employee and their supervisor to help ensure some level of security. Low-effort social engineering win for the cyber criminals Unfortunately, this did not happen in several instances. Instead, Cognizant staff simply handed over the passwords without confirming the identity of the caller, it is claimed. One partial call transcript provides evidence of this, with the alleged hacker telling the Cognizant employee, 'I don't have a password, so I can't connect.' They then replied without hesitation, 'Oh, ok. Ok. So, let me provide the password to you, okay?' Assuming the identity of authorized personnel is one of the most basic social engineering attacks, which is why many IT companies deploy several measures against it. However, it seems that Cognizant's employees were too trusting and violated protocol, potentially leading to millions of dollars in losses for Clorox. This goes to show that no matter how robust and sophisticated your cybersecurity is, it can always be breached at its weakest point. 'Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,' the lawsuit asserts. 'The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over.' Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
Techday NZ
4 days ago
- Business
- Techday NZ
Global ransomware attacks drop 43% but threats evolve quickly
Ransomware attacks worldwide declined by 43% in the second quarter, yet threats continue to adapt and evolve according to a new report from NCC Group. The report found a notable decrease in global ransomware activity, with incidents dropping by six percent month-on-month in June, amounting to 371 cases. Over the quarter, attacks fell by 1180 cases compared with the previous quarter. Experts attribute the reduction to seasonal slowdowns, including holiday observances such as Easter and Ramadan, as well as increased law enforcement interventions disrupting key ransomware operators. Analysis suggested the downturn may be temporary, with warnings that cybercriminals are likely to use this time to regroup and adopt more sophisticated social engineering strategies. Key disruptions in the ransomware ecosystem have opened opportunities for emerging groups to exploit gaps and continue targeting organisations. Sectors under attack The industrial sector remained the most targeted, experiencing 27% of all recorded attacks in June. Across the entire quarter, industrials represented nearly 30% of ransomware incidents, reaffirming the sector's prominence as a target for cybercriminals. Attacks on the consumer discretionary sector, which includes retail, dropped notably from 102 incidents in May to 76 in June, coinciding with reduced activity from the Scattered Spider group. Previously, Scattered Spider had claimed responsibility for prominent attacks on major retailers such as Marks & Spencer and the Co-op in May. Healthcare was the third most targeted sector, recording 42 attacks in June, almost double the figures reported in May. The information technology sector followed, with 33 attacks during June. Threat groups' activities In June, the ransomware group Qilin was named the most active, responsible for 16% of all attacks - rising from third place in May - and increasing its activity from 95 incidents in the first quarter to 151 in the second quarter. Qilin has increasingly targeted both industrial and IT sectors and now offers legal assistance to its affiliates, helping them navigate law enforcement risks and improve their ability to pressure victims into paying ransoms. This is seen as indicative of the more structured, business-oriented approach developing within ransomware-as-a-service models. Akira was the second most active group in June with 31 recorded attacks, rising from its fourth-place ranking in May, while the Play group fell to third with 29 incidents. The SafePay group followed, dropping to fourth place with 27 attacks after suspicions of a recent rebranding. Geographical impact North America experienced the highest proportion of ransomware attacks, accounting for 58% of incidents in June and 52% across the entire second quarter. Europe saw a decrease in attacks by 8% to make up 21% of global cases, fewer than half the number reported in North America. Asia was the origin of 12% of attacks, with South America recording the smallest regional share at four percent. Cyber warfare and political motives The report observed that ransomware is increasingly being used as part of political and cyber warfare tactics. In June, the Handala group - a pro-Palestine entity - claimed responsibility for targeting 17 Israeli organisations in the aftermath of significant regional conflict between Iran and Israel. The timing of the attacks, which began immediately following Israeli strikes on Iran, indicated a likely retaliatory motivation and suggested that ransomware could become further entrenched as a political tool. The UK Government's recent Industrial Strategy has highlighted the importance of cybersecurity in protecting vital national interests. Increased cyber warfare activity is leading to more robust state-level responses and driving the adoption of cybersecurity-focused policies globally. "The volume of victims being exposed on Ransomware leak sites might be declining but this doesn't mean threats are reduced. Law enforcement crackdowns and leaked ransomware source code is possibly a contributing factor as to a drop in activity, but ransomware groups are using this opportunity to evolve through rebranding and the use of advanced social engineering tactics. We've already tracked 86 new and existing active attack groups this year, and we're on course to surpass 2024's record. The increased number of attackers means a broader range of attack methods that businesses need to be prepared for. Both organisations and nations should take this as a sign to remain vigilant. Investing in cyber security and intelligence-led defences is the key to staying ahead of increasingly agile threat actors." These comments from Matt Hull, Global Head of Threat Intelligence at NCC Group, reflect ongoing concerns that while raw attack numbers may have declined, the risk from ransomware remains significant due to the continued evolution of both criminal tactics and the number of threat actors.
Techday NZ
5 days ago
- Business
- Techday NZ
Digital attack surfaces expand as key exposures & risks double
ReliaQuest's latest Digital Risk Protection trends report reveals a significant rise in external cyber risks faced by organisations, as their digital footprints and corresponding attack surfaces continue to expand in the first half of 2025. Rising exposures The report analyses customer alerts across 38 types of external exposures comparing data from the second half of 2024 to the first half of 2025. It found a 27% increase in exposed ports, a 35% rise in exposed operational technology (OT) ports, and a doubling of exposed access keys. Alerts for exposed marked documents, including sensitive information such as customer data and network diagrams, jumped by over 10%. Typo-squatting, the creation of counterfeit domains mimicking legitimate organisations, has remained a persistent risk, with threat actors such as "Scattered Spider" targeting technology vendors to steal credentials. According to the report, typo-squatted domains are particularly effective, often facilitating phishing campaigns across multiple client organisations. CISOs must look beyond traditional security measures and address the external footprint - exposed credentials, open ports, and vulnerabilities. Proactively managing these exposures isn't just important; it's the frontline defense against external threats and a critical step in reducing the attack surface. Consistent risk landscape Throughout both late 2024 and the first half of 2025, the top five digital risks remained largely consistent. Exposed marked documents led with a steep increase to 37.8% of alerts, followed by impersonating domains (19.0%), impersonating subdomains (15.6%), exposed ports (7.1%), and credential exposure (4.6%). The report attributes some of the increase in exposed documents to accidental leaks on organisational websites. Such exposures are often sold on cybercriminal forums, with claims of company breaches potentially leading to regulatory action, lawsuits, and damage to brand reputation. Expanding attack vectors Enterprise organisations added an average of 28 new exposed ports per organisation in just six months, rising from 103 in the last half of 2024 to 131 in the first half of 2025. Increased exposures of FTP and SSH ports have provided a broader attack surface for threat actors. ReliaQuest reports that some attacks have occurred by exploiting Remote Desktop Protocol (RDP) logins, giving access to administrative accounts. While prompt detection and containment prevented escalation in one incident, the report underscores the importance of proactive management of exposed services. Among OT systems, the average number of exposed ports per organisation rose by 35%, with Modbus (port 502) identified as the most commonly exposed, posing risks of unauthorised commands and potential shutdowns of key devices. The exposure of Unitronics port 20256 surged by 160%. The report cites cases where attackers, such as the group "CyberAv3ngers," targeted industrial control systems during conflicts, exploiting weak or default passwords. Persistent vulnerabilities The number of vulnerabilities identified on public-facing assets more than doubled, rising from three per organisation in late 2024 to seven in early 2025. Critical vulnerabilities dating as far back as 2006 and 2008 still persist on unpatched systems, with proof-of-concept code readily available online, making exploitation accessible even to attackers with limited expertise. The report also references the continued threat posed by ransomware groups who exploit such weaknesses in internet-facing devices. Key exposures double Incidents involving exposed access keys, including cloud and API keys, doubled from late 2024 to early 2025. Exposed credentials can enable threat actors to enter environments as legitimate users, bypassing perimeter defenses. The report highlights that most exposures result from accidental code pushes to public repositories or leaks on criminal forums. The drop in credential access alerts is said to be linked to law enforcement actions against a major infostealer malware family, "Lumma," coupled with the temporary shutdown of the "BreachForums" marketplace. However, new malware strains have since begun to re-emerge, forcing security teams to continually adapt their defences. Future trends The report anticipates that attack surfaces will keep expanding due to increased adoption of Internet of Things (IoT) devices, projected to grow from 17.7 billion in 2024 to 31.2 billion by 2030. Security weaknesses in these devices remain a target for exploitation. The accelerating adoption of artificial intelligence likewise creates fresh risks, including prompt injection attacks and exposure of sensitive credentials during development processes. As on-premises systems become more difficult to breach with traditional methods, attackers are shifting toward the use of stolen credentials and the exploitation of internet-facing vulnerabilities, an evolution reflected in the tactics of ransomware and social engineering groups. The report concludes by highlighting the importance for organisations to proactively identify and address external risks such as exposed credentials, open ports, and vulnerabilities as part of a broader digital risk protection strategy.
Reuters
7 days ago
- Business
- Reuters
Clorox accuses IT provider in lawsuit of giving hackers employee passwords
WASHINGTON, July 22 (Reuters) - Bleach maker Clorox (CLX.N), opens new tab said Tuesday that it has sued information technology provider Cognizant (CTSH.O), opens new tab over a devastating 2023 cyberattack, alleging the hackers gained access by asking the tech company's staff for its employees' passwords. Clorox was one of several major companies hit in August 2023 by the hacking group dubbed Scattered Spider, which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom. The group is often described as unusually sophisticated and persistent, but in a case filed in California state court on Tuesday, Clorox said one of Scattered Spider's hackers was able to repeatedly steal employees' passwords simply by asking for them. "Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," according to a copy of the lawsuit, opens new tab reviewed by Reuters. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over." Cognizant, in an emailed statement, pushed back, saying it did not manage cybersecurity for Clorox and it was only hired for limited help desk services. "Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed," Cognizant said. The suit was not immediately visible on the public docket of the Superior Court of Alameda County. Clorox provided Reuters with a receipt for the lawsuit from the court. Three partial transcripts included in the lawsuit allegedly show conversations between the hacker and Cognizant support staff in which the intruder asks to have passwords reset and the support staff complies without verifying who they are talking to, for example by quizzing them on their employee identification number or their manager's name. "I don't have a password, so I can't connect," the hacker says in one call. The agent replies, "Oh, OK. OK. So let me provide the password to you OK?" The apparent ease with which the hackers got what they wanted wasn't necessarily an indication that they weren't skilled, said Maxie Reynolds, a security expert who has specialized in social engineering and is not a party to the case. "They just tried what typically works," she said. Reynolds said the full transcripts were needed to offer a fair evaluation of what happened in 2023 but said that, "if all they had to do was call and ask straight out, that's not social engineering and it is negligence/non-fulfillment of duty." The 2023 hack at Clorox caused $380 million in damages, the suit said, about $50 million of which was tied to remedial costs and the rest attributable to Clorox's inability to ship products to retailers in the wake of the hack. Clorox said the clean-up was hampered by other failures by Cognizant's staff, including failure to de-activate certain accounts or properly restore data.
CNA
7 days ago
- Business
- CNA
Clorox accuses IT provider in lawsuit of giving hackers employee passwords
WASHINGTON :Bleach maker Clorox said Tuesday that it has sued information technology provider Cognizant over a devastating 2023 cyberattack, alleging the hackers gained access by asking the tech company's staff for its employees' passwords. Clorox was one of several major companies hit in August 2023 by the hacking group dubbed Scattered Spider, which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom. The group is often described as unusually sophisticated and persistent, but in a case filed in California state court on Tuesday, Clorox said one of Scattered Spider's hackers was able to repeatedly steal employees' passwords simply by asking for them. "Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," according to a copy of the lawsuit reviewed by Reuters. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over." Cognizant, in an emailed statement, pushed back, saying it did not manage cybersecurity for Clorox and it was only hired for limited help desk services. "Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed," Cognizant said. The suit was not immediately visible on the public docket of the Superior Court of Alameda County. Clorox provided Reuters with a receipt for the lawsuit from the court. Three partial transcripts included in the lawsuit allegedly show conversations between the hacker and Cognizant support staff in which the intruder asks to have passwords reset and the support staff complies without verifying who they are talking to, for example by quizzing them on their employee identification number or their manager's name. "I don't have a password, so I can't connect," the hacker says in one call. The agent replies, "Oh, OK. OK. So let me provide the password to you OK?" The apparent ease with which the hackers got what they wanted wasn't necessarily an indication that they weren't skilled, said Maxie Reynolds, a security expert who has specialized in social engineering and is not a party to the case. "They just tried what typically works," she said. Reynolds said the full transcripts were needed to offer a fair evaluation of what happened in 2023 but said that, "if all they had to do was call and ask straight out, that's not social engineering and it is negligence/non-fulfillment of duty." The 2023 hack at Clorox caused $380 million in damages, the suit said, about $50 million of which was tied to remedial costs and the rest attributable to Clorox's inability to ship products to retailers in the wake of the hack.
