News IT provider sued after it simply 'handed the credentials' to hackers — Clorox claims Cognizant gaffe enabled a $380m ransomware attack

[Admin]

IT provider sued after it simply 'handed the credentials' to hackers — Clorox claims Cognizant gaffe enabled a $380m ransomware attack

IT provider sued after it simply 'handed the credentials' to hackers — Clorox claims Cognizant gaffe enabled a $380m ransomware attack : Read more

 

[Vanderlindemedia]

I've seen a DDOS happen, and the individual who was doing it message the site owner. "I can fix it" "I just need the login to your website" ...

 

[ianbalgas]

What could possibly go wrong with outsourcing your IT department to poorly trained, low-wage, nonlocal workers?

 

[SomeoneElse23]

What could possibly go wrong with outsourcing your IT department to poorly trained, low-wage, nonlocal workers?

Isn't that what the whole offshore movement is about?

I don't think corps care.

 

[ingtar33]

What could possibly go wrong with outsourcing your IT department to poorly trained, low-wage, nonlocal workers?

too many CFOs don't see the value in local IT support. they see the IT department as a financial drain with no benifit to making money. Completely ignorant to the fact their whole business depends on computers and if the network goes down their whole business grinds to a halt.

I had one of those at my current employer. thankfully he's gone now but it was miserable working under the old one.

 

[duckoid]

Inside jeetjob obviously.

 

[Thunder64]

Were the passwords stored in plain text? Or did they "eset it to something they then knew?

 

[USAFRet]

Inside jeetjob obviously.

Were the passwords stored in plain text? Or did they "eset it to something they then knew?

Did none of you read the writeup?

One partial call transcript provides evidence of this, with the alleged hacker telling the Cognizant employee, “I don’t have a password, so I can’t connect.” They then replied without hesitation, “Oh, ok. Ok. So, let me provide the password to you, okay?”

There was no 'hack', no 'inside job'.
Simple social engineering.....
"Hi, I'm Fred, from the Winnipeg office. My password doesn't work, and I can't connect."
'OK, here ya go.'

 

[Thunder64]

Did none of you read the writeup?



There was no 'hack', no 'inside job'.
Simple social engineering.....
"Hi, I'm Fred, from the Winnipeg office. My password doesn't work, and I can't connect."
'OK, here ya go.'

But how could he look up said password? Was it not hashed?

 

[USAFRet]

But how could he look up said password? Was it not hashed?

He did not look up anything.
Literally - "“I don’t have a password, so I can’t connect.”

 

[tamalero]

But how could he look up said password? Was it not hashed?

I do not think you understand what the process was.

Hackers posed as Clorox staff
They called the IT company Cognisant or whatever their name was.
cognisant provided via phone one critical password.
And that was all that was needed.
There was no "hacking" as in the process of attacking a table or database.