In August 2023, Clorox fell victim to a social engineering attack executed by the Scattered Spider group. Attackers impersonated locked-out employees via repeated calls to Cognizant’s outsourced service desk, exploiting weak verification processes to reset passwords and multi-factor authentication (MFA). This granted them domain-admin access, enabling lateral movement across Clorox’s systems. The breach led to operational paralysis, including offline production systems, paused manufacturing, manual order processing, and shipment delays, causing $380 million in damages comprising $49 million in remediation costs and hundreds of millions in business-interruption losses. The incident underscored vulnerabilities in third-party help desk security, particularly outsourced high-privilege access, and highlighted the cascading impact of a single compromised identity on enterprise-wide operations. Clorox’s lawsuit alleged contractual violations by Cognizant, citing failure to enforce mandatory authentication procedures before credential resets.
Source: https://www.bleepingcomputer.com/news/security/can-i-have-a-new-password-please-the-400m-question/
TPRM report: https://www.rankiteo.com/company/the-clorox-company
"id": "the2392423091025",
"linkid": "the-clorox-company",
"type": "Cyber Attack",
"date": "8/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Consumer Goods (Cleaning Products)',
'location': 'Oakland, California, USA',
'name': 'Clorox Company',
'size': '~8,800 employees (2023)',
'type': 'Public Corporation'},
{'customers_affected': 'Clorox (primary)',
'industry': 'Outsourced Help Desk/Service Desk',
'location': 'Teaneck, New Jersey, USA (HQ)',
'name': 'Cognizant Technology Solutions',
'size': '~344,000 employees (2023)',
'type': 'IT Services Provider'}],
'attack_vector': ['Phone-based Social Engineering',
'Help Desk Exploitation',
'MFA Bypass via Reset'],
'customer_advisories': ['Public statements on supply chain delays',
'Product availability updates'],
'date_publicly_disclosed': '2023-08',
'description': 'In August 2023, attackers linked to the Scattered Spider '
'group successfully compromised Clorox by exploiting weak '
'verification processes at Cognizant’s outsourced service '
'desk. Using social engineering tactics (impersonating '
'locked-out employees), they obtained repeated password and '
'MFA resets without proper authentication, gaining '
'domain-admin access. The attack resulted in ~$380 million in '
'damages, including $49 million in remediation costs and '
'hundreds of millions in business-interruption losses. '
'Operational impacts included offline production systems, '
'paused manufacturing, manual order processing, and shipment '
'delays.',
'impact': {'brand_reputation_impact': ['Significant (publicized breach)',
'Supply Chain Trust Erosion'],
'downtime': ['Prolonged (weeks)',
'Manufacturing Halted',
'Shipment Delays'],
'financial_loss': '$380 million (including $49 million in '
'remediation costs)',
'legal_liabilities': ['Lawsuit against Cognizant for contractual '
'violations'],
'operational_impact': ['Manual Order Processing',
'Supply Chain Disruptions',
'Depressed Sales Volumes'],
'revenue_loss': 'Hundreds of millions (business-interruption '
'losses)',
'systems_affected': ['Production Systems',
'Manufacturing Systems',
'Order Processing Systems',
'Active Directory']},
'initial_access_broker': {'backdoors_established': ['Domain-admin access via '
'lateral movement'],
'entry_point': 'Cognizant Service Desk (phone-based '
'social engineering)',
'high_value_targets': ['Active Directory',
'Privileged Accounts'],
'reconnaissance_period': ['Pre-attack (names, '
'titles, internal ticket '
'references collected)']},
'investigation_status': 'Ongoing (lawsuit pending)',
'lessons_learned': ['Outsourced help desks with weak verification processes '
'amplify risk due to concentric trust and high-privilege '
'access.',
'Social engineering exploits human fallibility; scripted '
'calls and pressure tactics bypass procedural controls.',
'Lack of out-of-band verification and immutable audit '
'trails enables lateral movement from a single '
'compromised identity.',
'Third-party vendor risks are magnified by process drift, '
'poor QA, and visibility gaps in logging/telemetry.',
'Contractual SLAs must enforce technical controls (e.g., '
'two-channel verification) and regular audits.'],
'motivation': ['Financial Gain', 'Disruption'],
'post_incident_analysis': {'corrective_actions': ['Implemented deterministic '
'caller verification (e.g., '
'Specops Secure Service '
'Desk).',
'Enhanced logging and SIEM '
'integration for reset '
'actions.',
'Added approval thresholds '
'for high-risk resets.',
'Contractual updates to '
'require vendor audits and '
'social-engineering tests.',
'Red-team exercises to test '
'help desk resilience.'],
'root_causes': ['Inadequate caller verification by '
'Cognizant service desk agents '
'(violated contractual '
'procedures).',
'Lack of out-of-band '
'authentication for credential/MFA '
'resets.',
'Process drift at vendor due to '
'high call volumes and ambiguous '
'scripts.',
'Visibility gaps between vendor '
'ticketing systems and Clorox’s '
'SIEM.',
'Over-reliance on third-party help '
'desk without enforced technical '
'controls.']},
'recommendations': [{'actions': ['Enforce out-of-band verification (callback '
'to company-owned phone, OTP to work email, '
'or cryptographic challenge).',
'Require approval thresholds for high-risk '
'resets (e.g., MFA, privileged groups).',
'Implement short-lived elevation and session '
'isolation for remediation tasks.',
'Log resets to immutable audit trails with '
'agent/caller metadata and integrate with '
'SIEM.',
'Automate containment (revoke tokens, force '
're-auth) for anomalous patterns (e.g., same '
'callback number for multiple resets).'],
'category': 'Help Desk Security'},
{'actions': ['Include technical controls in contracts '
'(e.g., two-channel verification, log '
'retention).',
'Require annual audits and simulated '
'social-engineering tests with remediation '
'reporting.',
'Define measurable SLAs for MTTD/MTTR on '
'suspected compromises.',
'Ensure vendor logs are integrated with '
'customer SIEM/privileged-access telemetry.'],
'category': 'Vendor Governance'},
{'actions': ['Conduct regular red-team phone simulations '
'against internal and vendor help desks.',
'Track and reduce time from reset to '
'containment as a key metric.',
'Provide corrective training based on '
'simulation failures.'],
'category': 'Training & Testing'},
{'actions': ['Deploy compliant password policies to block '
'compromised credentials (e.g., Specops '
'Password Policy).',
'Monitor for patterns like multiple MFA '
'resets in a business unit within minutes.'],
'category': 'Active Directory Protection'}],
'references': [{'source': 'Court filings (Clorox vs. Cognizant)'},
{'source': 'CISA Advisory on Scattered Spider',
'url': 'https://www.cisa.gov/'},
{'source': 'Specops Software Analysis',
'url': 'https://specopssoft.com/'},
{'source': 'Verizon Data Breach Investigations Report (DBIR)',
'url': 'https://www.verizon.com/business/resources/reports/dbir/'}],
'regulatory_compliance': {'legal_actions': ['Lawsuit by Clorox against '
'Cognizant for breach of '
'contract']},
'response': {'communication_strategy': ['Public Disclosure via Court Filings',
'Media Statements'],
'containment_measures': ['Isolation of Compromised Accounts',
'Revocation of Admin Sessions'],
'enhanced_monitoring': ['Anomalous Reset Pattern Detection',
'Privileged Session Telemetry'],
'incident_response_plan_activated': True,
'recovery_measures': ['Manual Order Processing Workarounds',
'Restoration of Production Systems'],
'remediation_measures': ['Enhanced Caller Verification',
'Contractual Audits with Cognizant',
'SIEM Integration for Reset Logs'],
'third_party_assistance': ['Forensic Investigators',
'Legal Counsel (lawsuit against '
'Cognizant)']},
'stakeholder_advisories': ['CISA warnings on Scattered Spider tactics',
'Vendor risk management guidance'],
'threat_actor': 'Scattered Spider (UNC3944)',
'title': 'Clorox Cyberattack via Social Engineering on Cognizant Service Desk',
'type': ['Social Engineering',
'Credential Stuffing',
'Unauthorized Access',
'Lateral Movement'],
'vulnerability_exploited': ['Weak Caller Verification Processes',
'Lack of Out-of-Band Authentication',
'Process Drift in Third-Party Service Desk']}