Being a hacker seems a complex task, I would assume. Trying to break electronic codes and similar type stuff to gain access to more restricted information. In other instances, it is just a phone call away, literally. Just give the IT helpdesk, fake employee status and voila, there you have valuable passwords at your disposal. This is an unfortunate reality of what can happen sometimes. The moment access is granted to certain systems or information, the trouble begins. It is then when these hackers can really work their magic.
A notorious password predicament
Bleach maker Cloroxย CLX.N said Tuesdayย that it has sued information technology provider Cognizantย CTSH.Oย over a devastating 2023 cyberattack,ย alleging thatย the hackers pulled off the intrusion simply by asking the tech company’s staff for employees’ passwords. Clorox was one of several major companies hit in August 2023 by the hacking group dubbedย Scattered Spider, which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom.
The group is often described as unusually sophisticated and persistent, but in a case filed in California state court on Tuesday, Clorox said one of Scattered Spider’s hackers was able to repeatedly steal employees’ passwords simply by asking for them. Although very loose-knit, UNC3944 or Scattered Spider is an aggressive hacking group. They are also sometimes identified as Star Fraud, Muddled Libra, Octo Tempest as well as Scatter Swine. The group is mainly young and native English speaking, residing from the UK and the US.
A simple trick with some complex results
“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,”ย according to a copy of theย lawsuitย reviewed by Reuters.ย “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizantย handed the credentials right over.” Cognizant did not immediately return a message seeking comment on the suit,ย which was not immediately visible on the public docket of the Superior Court of Alameda County.ย Clorox provided Reuters with a receipt for the lawsuit from the court.
Three partial transcripts included in the lawsuit allegedly show conversations between the hacker and Cognizant support staff in which the intruder asks to have passwords reset and the support staff complies without verifying who they are talking to, for example by quizzing them on their employee identification number or their manager’s name. “I don’t have a password, so I can’t connect,” the hacker says in one call. The agent replies, “Oh, ok. Ok. So let me provide the password to you, ok?”
How all of this affected Clorox
The 2023 hack caused $380 million in damages, Clorox said in the suit, about $50 million of which were tied to remedial costs and the rest of which were attributable to Clorox’s inability to ship products to retailers in the wake of the hack. Clorox said the clean-up was hampered by other failures by Cognizant’s staff, including failure to de-activate certain accounts or properly restore data.
In a lot of situations, companies are usually quite weary to openly admin cybersecurity breaches and manufacturers have a tendency to pay ransomware bounties to help eliminate the problem. Clorox wasn’t so fortunate and had to disclose the issue. This is due to a new SEC rule requirement. According to this, disclosure of material cybersecurity incidents is required within four days of the actual incident.
According to information provided by the International Monetary Fund (IMF), the incidence of cyberattacks have shown a drastic increase since the COVID-19 pandemic. The cost that these attacks have on firms are variable but can roughly be higher than $53,000 for US or UK companies with a staff compliment of more than 1,000 employees. On a broader scale, the global average cost of a data breach can reach up to $4,88 million, as per the 2024 statistics. That is an almost 10% increase from the figures of the previous year.
GCN.com/Reuters