News IT provider sued after it simply 'handed the credentials' to hackers — Clorox claims Cognizant gaffe enabled a $380m ransomware attack

[Admin]

IT provider sued after it simply 'handed the credentials' to hackers — Clorox claims Cognizant gaffe enabled a $380m ransomware attack

IT provider sued after it simply 'handed the credentials' to hackers — Clorox claims Cognizant gaffe enabled a $380m ransomware attack : Read more

 

[Vanderlindemedia]

I've seen a DDOS happen, and the individual who was doing it message the site owner. "I can fix it" "I just need the login to your website" ...

 

[ianbalgas]

What could possibly go wrong with outsourcing your IT department to poorly trained, low-wage, nonlocal workers?

 

[SomeoneElse23]

What could possibly go wrong with outsourcing your IT department to poorly trained, low-wage, nonlocal workers?

Isn't that what the whole offshore movement is about?

I don't think corps care.

 

[ingtar33]

What could possibly go wrong with outsourcing your IT department to poorly trained, low-wage, nonlocal workers?

too many CFOs don't see the value in local IT support. they see the IT department as a financial drain with no benifit to making money. Completely ignorant to the fact their whole business depends on computers and if the network goes down their whole business grinds to a halt.

I had one of those at my current employer. thankfully he's gone now but it was miserable working under the old one.

 

[duckoid]

Inside jeetjob obviously.

 

[Thunder64]

Were the passwords stored in plain text? Or did they "eset it to something they then knew?

 

[USAFRet]

Inside jeetjob obviously.

Were the passwords stored in plain text? Or did they "eset it to something they then knew?

Did none of you read the writeup?

One partial call transcript provides evidence of this, with the alleged hacker telling the Cognizant employee, “I don’t have a password, so I can’t connect.” They then replied without hesitation, “Oh, ok. Ok. So, let me provide the password to you, okay?”

There was no 'hack', no 'inside job'.
Simple social engineering.....
"Hi, I'm Fred, from the Winnipeg office. My password doesn't work, and I can't connect."
'OK, here ya go.'

 

[Thunder64]

Did none of you read the writeup?



There was no 'hack', no 'inside job'.
Simple social engineering.....
"Hi, I'm Fred, from the Winnipeg office. My password doesn't work, and I can't connect."
'OK, here ya go.'

But how could he look up said password? Was it not hashed?

 

[USAFRet]

But how could he look up said password? Was it not hashed?

He did not look up anything.
Literally - "“I don’t have a password, so I can’t connect.”

 

[tamalero]

But how could he look up said password? Was it not hashed?

I do not think you understand what the process was.

Hackers posed as Clorox staff
They called the IT company Cognisant or whatever their name was.
cognisant provided via phone one critical password.
And that was all that was needed.
There was no "hacking" as in the process of attacking a table or database.

 

[Thunder64]

I do not think you understand what the process was.

Hackers posed as Clorox staff
They called the IT company Cognisant or whatever their name was.
cognisant provided via phone one critical password.
And that was all that was needed.
There was no "hacking" as in the process of attacking a table or database.

I don't understand and still seem to be missing it. How did Cognizant know the password to begin with? They should only allow a user to reset their password.

 

[USAFRet]

I don't understand and still seem to be missing it. How did Cognizant know the password to begin with? They should only allow a user to reset their password.

The 'user' contacted the server admins at Cognizant and said "Give me a password".
Cognizant said 'OK, here ya go.'

He was not an existing 'user'.

 

[Thunder64]

The 'user' contacted the server admins at Cognizant and said "Give me a password".
Cognizant said 'OK, here ya go.'

He was not an existing 'user'.

Well that's just beyond stupid. Who the hell hires idiots like that?

So somebody uses LinkedIn and says they're now part of Bob's team and can't get into their account? The wonders of outsourcing.

 

[USAFRet]

Well that's just beyond stupid. Who the hell hires idiots like that?

So somebody uses LinkedIn and says they're now part of Bob's team and can't get into their account? The wonders of outsourcing.

Exactly!

 

[ezst036]

Its stupid that more companies don't bring in a large percent of their IT needs in-house.

Clorox certainly didn't deserve it, but they were definitely asking for it. The problem is though, that since Clorox can simply point the finger at a third party to blame they will continue on with their mindset that outsourcing is a good idea.

 

[servo87]

Were the passwords stored in plain text? Or did they "eset it to something they then knew?

Typically MSPs like cognizant we'll have access to the group passwords. But even if not, and admin can reset and create a new password at any time. Takes a few seconds to do so.

And cognizant is going to have a dozen clients that a single person responds to it anytime

 

[Alex/AT]

Obviously, more outsourced authentication services are necessary.

 

[pug_s]

Its stupid that more companies don't bring in a large percent of their IT needs in-house.

Clorox certainly didn't deserve it, but they were definitely asking for it. The problem is though, that since Clorox can simply point the finger at a third party to blame they will continue on with their mindset that outsourcing is a good idea.

Agreed with another commenter that many companies regard IT is just another expense and they cut corners until crap hits the fan. This happened to me when a cyterattack hit my company which affected us for a few months because of laxed procedures and not hiring enough IT security people.

 

[jp7189]

Here's what Clorox was thinking before this:

Password resets are the majority of helpdesk calls and a user calling in for this is a bit embarrassed in the first place. Making them jump through extra hoops rubs salt in the wound and since it's such a simple procedure it should be outsourced to the cheapest bidder and performed in the fastest, least friction way possible.

 

[pug_s]

Here's what Clorox was thinking before this:

Password resets are the majority of helpdesk calls and a user calling in for this is a bit embarrassed in the first place. Making them jump through extra hoops rubs salt in the wound and since it's such a simple procedure it should be outsourced to the cheapest bidder and performed in the fastest, least friction way possible.

Many companies outside their level 1 and level 2 help desk which is mostly fine because they usually don't have administrative access to the servers. However, if some company outsources the level 3 techs who usually have administive access (like what these guys did), you are at your own peril because if the company don't vet them out, they can cause the potential damage.

 

[Vach]

What could possibly go wrong with outsourcing your IT department to poorly trained, low-wage, nonlocal workers?

They just follow a play book.

if user request A, give A.
if user request B, give B.
if user request ABAB, "Sir not in playbook", Escalate to level 2.

There is zero thinking involved.

Source: I work with some of these workers.

 

[jp7189]

Many companies outside their level 1 and level 2 help desk which is mostly fine because they usually don't have administrative access to the servers. However, if some company outsources the level 3 techs who usually have administive access (like what these guys did), you are at your own peril because if the company don't vet them out, they can cause the potential damage.

Level 1's can usually reset a password/mfa and that's all a hacker needs to get a foot in the door.

 

[husker]

And Cognizant still has clients? I just don't see how they recover from this.