CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Scattered Spider Social Engineering Attack on Clorox via Cognizant Service Desk

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

In August 2023, the Scattered Spider group exploited human fallibility to hack Clorox by repeatedly calling the service desk run by Cognizant. The attackers impersonated locked-out employees and requested password and MFA resets without proper verification. This led to domain-admin access and significant financial damage, including $380 million in losses due to operational paralysis and data loss. The attack highlights the risks of weak verification processes in outsourced service desks. The attackers successfully obtained repeated resets by mimicking legitimate user behavior and pressuring service desk agents to skip security protocols. The impact included production system outages, manufacturing pauses, manual order processing, and shipment delays, resulting in substantial business-interruption losses and remedial costs. The incident underscores the importance of robust caller verification and enforcement of security protocols in third-party service desks to prevent similar attacks.

Timeline

  1. 10.09.2025 17:02 πŸ“° 1 articles Β· ⏱ 6d ago

    Scattered Spider Social Engineering Attack on Clorox via Cognizant Service Desk

    In August 2023, Scattered Spider exploited human fallibility to hack Clorox by repeatedly calling the service desk run by Cognizant. The attackers impersonated locked-out employees and requested password and MFA resets without proper verification. This led to domain-admin access and significant financial damage, including $380 million in losses due to operational paralysis and data loss. The attackers successfully obtained repeated resets by mimicking legitimate user behavior and pressuring service desk agents to skip security protocols. The impact included production system outages, manufacturing pauses, manual order processing, and shipment delays, resulting in substantial business-interruption losses and remedial costs.

    Show sources
    Open in new tab

Information Snippets

  • Scattered Spider group targeted Clorox through Cognizant's service desk in August 2023.

    First reported: 10.09.2025 17:02
    πŸ“° 1 source, 1 article
    Show sources

  • Attackers impersonated employees to request password and MFA resets.

    First reported: 10.09.2025 17:02
    πŸ“° 1 source, 1 article
    Show sources

  • The attack resulted in $380 million in damages, including $49 million in remedial costs and hundreds of millions in business-interruption losses.

    First reported: 10.09.2025 17:02
    πŸ“° 1 source, 1 article
    Show sources

  • The attackers exploited weak verification processes to gain domain-admin access.

    First reported: 10.09.2025 17:02
    πŸ“° 1 source, 1 article
    Show sources

  • Clorox experienced operational paralysis and data loss due to the attack.

    First reported: 10.09.2025 17:02
    πŸ“° 1 source, 1 article
    Show sources

  • CISA and other agencies have flagged similar patterns of attacks targeting outsourced help desks.

    First reported: 10.09.2025 17:02
    πŸ“° 1 source, 1 article
    Show sources

  • Outsourced help desks often have broad, cross-tenant privileges and fast-path workflows.

    First reported: 10.09.2025 17:02
    πŸ“° 1 source, 1 article
    Show sources

  • Process drift and scale in large vendors can lead to weak verification practices.

    First reported: 10.09.2025 17:02
    πŸ“° 1 source, 1 article
    Show sources

  • Visibility gaps in third-party desks can delay detection of malicious activities.

    First reported: 10.09.2025 17:02
    πŸ“° 1 source, 1 article
    Show sources

Similar Happenings

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

Open in new tab

Akira Ransomware Group Exploits SonicWall SSL VPN Flaws

The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.

Open in new tab

Supply Chain Attack on npm Packages with Billions of Weekly Downloads

A supply chain attack compromised multiple npm packages with over 2.6 billion weekly downloads. Attackers injected malicious code into these packages after hijacking a maintainer's account via phishing. The malware targets web-based cryptocurrency transactions, redirecting them to attacker-controlled wallets. The attack was detected and mitigated by the NPM team, who removed the malicious versions within two hours. The phishing campaign targeted multiple maintainers, using a fake domain to trick them into updating their 2FA credentials. The malicious code operates by hooking into JavaScript functions and wallet APIs, intercepting and altering cryptocurrency transactions. The attack impacts users who installed the compromised packages during a specific time window and have vulnerable dependencies. The attack targeted Josh Junon, also known as Qix, who received a phishing email mimicking npm. The phishing email prompted the maintainer to enter their username, password, and 2FA token, which were stolen via an adversary-in-the-middle (AitM) attack. The attack affected 20 packages, including ansi-regex, chalk, debug, and others, with over 2 billion weekly downloads. The malware intercepts cryptocurrency transaction requests by computing the Levenshtein distance to swap the destination wallet address. The payload hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. The attack also compromised another maintainer, duckdb_admin, to distribute the same wallet-drainer malware. The affected packages from the second maintainer include @coveops/abi, @duckdb/duckdb-wasm, and prebid, among others. The attack impacted roughly 10% of all cloud environments. The attackers diverted five cents worth of ETH and $20 worth of a virtually unknown memecoin. The attacker’s wallet addresses holding significant amounts have been flagged, limiting their ability to convert or use the funds.

Open in new tab

Apple patches Image I/O zero-day exploited in targeted attacks

Apple has released emergency updates to fix a zero-day vulnerability (CVE-2025-43300) in the Image I/O framework. The flaw, an out-of-bounds write issue, was exploited in "extremely sophisticated" targeted attacks against specific individuals. The vulnerability affects multiple iOS, iPadOS, and macOS versions and devices. Apple has not attributed the discovery to a specific researcher or provided details about the attacks. The flaw allows attackers to exploit the vulnerability by supplying malicious input, potentially leading to remote code execution. Affected devices include various iPhone, iPad, and Mac models running specific versions of iOS, iPadOS, and macOS. The flaw was discovered internally by Apple and addressed with improved bounds checking. The vulnerability has been exploited as part of highly targeted attacks. Users are advised to install the updates promptly to mitigate potential ongoing attacks. CERT-FR has reported at least four instances of Apple threat notifications alerting users about mercenary spyware attacks since the beginning of the year. The attacks target individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. Apple has sent threat notifications to users in over 150 countries since 2021. Apple has backported fixes for the vulnerability to older versions of iOS, iPadOS, and macOS, including iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5. The updates also address multiple other security flaws in various Apple products. The flaw was chained with a WhatsApp zero-click vulnerability (CVE-2025-55177) in targeted attacks. The attacks were described as "extremely sophisticated" by Apple and WhatsApp. Samsung also patched a remote code execution vulnerability chained with the CVE-2025-55177 WhatsApp flaw in zero-day attacks targeting its Android devices.

Open in new tab