Increased Social Engineering Attacks Targeting MFA and Help Desks
Summary
Hide ▲
Show ▼
Threat actors, including groups like Scattered Spider, are increasingly using social engineering tactics to bypass multi-factor authentication (MFA) and gain unauthorized access to enterprise networks. These attacks often target help desk personnel, exploiting human vulnerabilities to reset passwords or override MFA. The FBI and CISA have issued alerts about the growing threat of such high-touch social engineering campaigns. The attack on Clorox by Scattered Spider resulted in approximately $380 million in damages, including $49 million in remedial costs and hundreds of millions in business-interruption losses. The attackers exploited the service desk run by Cognizant, repeatedly phoning to obtain password and MFA resets without meaningful verification. This incident highlights the need for robust caller verification and stringent security protocols in help desk operations. Organizations must rethink their help desk operations, focusing on training, validation processes, and a security-first culture. Frontline staff need to recognize red flags and escalate suspicious requests. Executives and senior leaders should model verification behavior, reinforcing that diligence is expected throughout the organization. Effective defense against these attacks requires ongoing training, relevant simulations, and a culture that prioritizes security over speed. Help desk and security teams must collaborate closely to identify and mitigate potential threats.
Timeline
-
10.09.2025 17:02 1 articles · 19d ago
Scattered Spider Attack on Clorox via Cognizant Service Desk
The attack on Clorox by Scattered Spider resulted in approximately $380 million in damages, including $49 million in remedial costs and hundreds of millions in business-interruption losses. The attackers exploited the service desk run by Cognizant, repeatedly phoning to obtain password and MFA resets without meaningful verification. This incident underscores the need for robust caller verification and stringent security protocols in help desk operations. The article also provides actionable steps for defenders to enhance security measures and mitigate similar threats.
Show sources
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
21.08.2025 17:00 2 articles · 1mo ago
FBI Alerts on Social Engineering Attacks Targeting MFA and Help Desks
The FBI has issued alerts about groups like Scattered Spider executing multistage, high-touch social engineering campaigns. These attacks target help desk personnel to bypass MFA and gain unauthorized access to enterprise networks. Organizations are advised to enhance training, validation processes, and security culture to mitigate these threats. The attack on Clorox by Scattered Spider resulted in approximately $380 million in damages, including $49 million in remedial costs and hundreds of millions in business-interruption losses. The attackers exploited the service desk run by Cognizant, repeatedly phoning to obtain password and MFA resets without meaningful verification. This incident highlights the need for robust caller verification and stringent security protocols in help desk operations.
Show sources
- Prepping the Front Line for MFA Social Engineering Attacks — www.darkreading.com — 21.08.2025 17:00
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
Information Snippets
-
Social engineering attacks targeting MFA and help desks are on the rise, with groups like Scattered Spider actively exploiting these vulnerabilities.
First reported: 21.08.2025 17:002 sources, 2 articlesShow sources
- Prepping the Front Line for MFA Social Engineering Attacks — www.darkreading.com — 21.08.2025 17:00
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
Threat actors use tactics such as urgency, familiarity, and manipulation to bypass traditional perimeter controls.
First reported: 21.08.2025 17:002 sources, 2 articlesShow sources
- Prepping the Front Line for MFA Social Engineering Attacks — www.darkreading.com — 21.08.2025 17:00
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
Help desk personnel are prime targets for social engineering attacks due to their access to password resets and MFA overrides.
First reported: 21.08.2025 17:002 sources, 2 articlesShow sources
- Prepping the Front Line for MFA Social Engineering Attacks — www.darkreading.com — 21.08.2025 17:00
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
Organizations must train help desk staff to recognize red flags, such as calls from unknown numbers, excessive urgency, and manipulative tones.
First reported: 21.08.2025 17:002 sources, 2 articlesShow sources
- Prepping the Front Line for MFA Social Engineering Attacks — www.darkreading.com — 21.08.2025 17:00
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
Escalation protocols should be in place to verify suspicious requests through out-of-band channels, such as personal numbers or video calls.
First reported: 21.08.2025 17:002 sources, 2 articlesShow sources
- Prepping the Front Line for MFA Social Engineering Attacks — www.darkreading.com — 21.08.2025 17:00
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
Executives and senior leaders should model verification behavior and reinforce the importance of diligence in security protocols.
First reported: 21.08.2025 17:002 sources, 2 articlesShow sources
- Prepping the Front Line for MFA Social Engineering Attacks — www.darkreading.com — 21.08.2025 17:00
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
Every password or MFA reset should be treated as a potential security incident, with context and behavior analysis.
First reported: 21.08.2025 17:002 sources, 2 articlesShow sources
- Prepping the Front Line for MFA Social Engineering Attacks — www.darkreading.com — 21.08.2025 17:00
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
Organizational culture must prioritize security over speed, with ongoing training and relevant simulations to prepare help desk staff.
First reported: 21.08.2025 17:002 sources, 2 articlesShow sources
- Prepping the Front Line for MFA Social Engineering Attacks — www.darkreading.com — 21.08.2025 17:00
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
Collaboration between help desk and security teams is crucial for identifying and mitigating potential threats.
First reported: 21.08.2025 17:002 sources, 2 articlesShow sources
- Prepping the Front Line for MFA Social Engineering Attacks — www.darkreading.com — 21.08.2025 17:00
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
The attack on Clorox by Scattered Spider resulted in approximately $380 million in damages, including $49 million in remedial costs and hundreds of millions in business-interruption losses.
First reported: 10.09.2025 17:021 source, 1 articleShow sources
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
The attackers exploited the service desk run by Cognizant, repeatedly phoning to obtain password and MFA resets without meaningful verification.
First reported: 10.09.2025 17:021 source, 1 articleShow sources
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
The attack on Clorox led to operational paralysis, including production systems taken offline, paused manufacturing, manual order processing, and shipment delays.
First reported: 10.09.2025 17:021 source, 1 articleShow sources
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
CISA and other agencies have flagged the pattern of Scattered Spider targeting contracted help desks, which often have high-privilege access to multiple customers' environments.
First reported: 10.09.2025 17:021 source, 1 articleShow sources
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
Outsourcing help-desk functions can amplify risk if the vendor's verification process is weak or poorly enforced, leading to concentric trust, process drift, and visibility gaps.
First reported: 10.09.2025 17:021 source, 1 articleShow sources
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
Defenders should enforce out-of-band verification, require approval thresholds, use short-lived elevation and session isolation, automate telemetry and containment, and translate detection into rules.
First reported: 10.09.2025 17:021 source, 1 articleShow sources
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
-
Organizations should include contractual requirements for vendor-side technical controls, auditability, and measurable SLAs for MTTD/MTTR on suspected account compromises.
First reported: 10.09.2025 17:021 source, 1 articleShow sources
- Can I have a new password, please? The $400M question. — www.bleepingcomputer.com — 10.09.2025 17:02
Similar Happenings
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
GeoServer RCE Exploit Used in Federal Agency Breach
A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. The attackers discovered the vulnerable GeoServer instances by conducting network scanning with Burp Suite. They exploited the vulnerability to gain access to a public-facing GeoServer instance and downloaded open-source scripts and tools for lateral movement. On July 24, 2024, the attackers exploited the same vulnerability to gain access to a second GeoServer instance and moved laterally to a Web server and SQL server, where they dropped web shells, including China Chopper. The attackers also used Stowaway for command-and-control (C2) traffic and attempted to exploit CVE-2016-5195 for privilege escalation. The agency's incident response plan was inadequate, and some public-facing resources lacked endpoint protection, allowing the breach to remain undetected for three weeks.
Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched
Fortra has disclosed and patched a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. The vulnerability was actively exploited in the wild as early as September 10, 2025, a week before public disclosure. Fortra has released patches in versions 7.8.4 and 7.6.3. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability was discovered during a security check on September 11, 2025. Fortra advised customers to review configurations immediately and remove public access from the Admin Console. The Shadowserver Foundation is monitoring over 470 GoAnywhere MFT instances, but the number of patched instances is unknown. The flaw is highly dependent on systems being externally exposed to the internet. The exploitation sequence involved creating a backdoor account and uploading additional payloads, originating from an IP address flagged for brute-force attacks.
APT41 targets U.S. trade officials with phishing campaigns amid negotiations
APT41, a China-linked threat group, has been conducting targeted phishing campaigns against U.S. trade officials, law firms, think tanks, and academic organizations. The attacks, impersonating U.S. officials and organizations, aim to steal sensitive data related to U.S.-China trade negotiations. The campaigns have been ongoing since at least January 2025, with a surge in activity observed in July and August 2025. The U.S. House Select Committee on China has issued a formal advisory warning about these activities, linking them to a Beijing-led effort to influence policy deliberations. The FBI is investigating these attacks. The phishing emails impersonate U.S. officials, including Rep. John Robert Moolenaar, and organizations such as the U.S.-China Business Council, to trick recipients into opening malicious attachments or links. The attacks exploit software and cloud services to evade detection and exfiltrate data. The goal is to gain an advantage in trade and foreign policy negotiations. The Chinese embassy has denied the allegations, stating that China opposes cyber attacks and cyber crime. APT41 has been linked to various sophisticated campaigns targeting multiple sectors, including logistics, utility companies, healthcare, high-tech, and telecommunications.
Supply Chain Attack on Drift via OAuth Token Theft
A supply chain attack targeted the Drift chatbot, a marketing software-as-a-service product, resulting in the mass theft of OAuth tokens from multiple companies. Salesloft, the parent company, took Drift offline on September 5, 2025, to review and enhance security. Affected companies include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data. The attack underscores the risks associated with third-party integrations and the importance of robust security measures in enterprise defenses.