Cognizant-Clorox Breach Analysis: Social Engineering and MSP/MSSP Third-Party Risks

Security Careers

Security Careers

10 min read
Cognizant-Clorox Breach Analysis: Social Engineering and MSP/MSSP Third-Party Risks
Photo by Kelly Sikkema / Unsplash

Executive Summary

The August 2023 Clorox cyberattack, executed through Cognizant's IT help desk, demonstrates a critical vulnerability in managed service provider (MSP) relationships. Hackers associated with Scattered Spider socially engineered Cognizant help desk agents to reset passwords and multi-factor authentication credentials without proper identity verification, ultimately leading to $380 million in damages for Clorox. This incident highlights how MSP/MSSP relationships can become the weakest link in enterprise security, amplifying risks across entire supply chains.

https://vendorscope.cisomarketplace.com/

Key Takeaway: Social engineering attacks targeting MSP help desks are bypassing traditional security controls by exploiting the human element and trust relationships between service providers and their clients.

Navigating the Cyber Threat Landscape: The Crucial Role of Security Operations Centers (SOCs) and the Integration of AI and MSSP Services
In an era where cyber threats are increasingly sophisticated and pervasive, establishing a robust defense mechanism is paramount for organizations of all sizes. A Security Operations Center (SOC) acts as the central nervous system of an organization’s cybersecurity framework, providing real-time detection, analysis, and response to threats. However, the effectiveness
Security Careers HelpSecurity Careers

The Cognizant-Clorox Incident: How It Happened

Attack Timeline and Method

On August 11, 2023, cybercriminals called Cognizant's Service Desk multiple times, pretending to be Clorox representatives requesting password and multi-factor authentication resets. The attack methodology was devastatingly simple:

Primary Attack Vector: At no point during any of the calls did the Agent verify that the caller was in fact Employee 1. At no point did the Agent follow Clorox's credential support procedures—either the pre-2023 procedure or the January 2023 update—before changing the password for the cybercriminal.

Escalation: The threat actors used the same playbook to reset the password and MFA for another employee who worked in IT security, which was done without verification once again. This reportedly gave the attackers privileged access to the network, which they used to spread to further devices.

The Scattered Spider Connection

Researchers have attributed the Clorox attack to Scattered Spider, a notorious hacking collective that has repeatedly struck targets in the retail, insurance and airline industries over the past several months. The group specializes in social-engineering attacks that use techniques like voice phishing to trick IT help desks into giving the hackers credentials and bypassing users' multifactor-authentication protections.

Scattered Spider's Evolution: Scattered Spider and "DragonForce" are increasingly targeting managed service providers (MSPs) and IT contractors, exploiting their "one-to-many" access to breach multiple client networks through a single point of compromise.

Financial and Operational Impact

Immediate Consequences

  • Total Damages: Clorox is seeking $49 million in direct remediation damages and $380,000,000 in total damages
  • Business Disruption: The resulting Cyberattack was debilitating. It paralyzed Clorox's corporate network and crippled business operations
  • Manufacturing Impact: Clorox states that Cognizant's actions paralyzed its corporate network, halted manufacturing, and caused widespread product shortages and business interruption
Navigating the Geopolitical Tech Storm: Cybersecurity, AI Governance, and Global Power Shifts
Introduction: The intersection of technology and geopolitics has never been more critical. As nations jostle for influence in an increasingly multipolar world, discussions around tech law, cybersecurity, and AI governance have taken center stage. The Munich Security Conference (MSC) 2025 served as a focal point for these discussions, highlighting the
Breached CompanyBreached Company

Inadequate Response

Clorox described Cognizant's response and recovery support as overly incompetent, resulting in delays in the application of containment measures, failure to shut down compromised accounts, and sending underqualified personnel on premises.

MSP/MSSP Third-Party Risk Landscape

The Growing Threat

More than half of those that CRA surveyed said their businesses had suffered an IT security incident — either an attack or a breach — related to a third-party partner in the previous 24 months. Among organizations that were affected, 52% said the source of their attack was via a vulnerability exploited in a software vendor.

Supply Chain Complexity: Nearly 8 out of 10 respondents ascribed some degree of complexity to their supply chains, with those at the largest organizations much more likely to describe their supply chains as "very" or "extremely" complex.

Visibility Challenges

More than a third of security professionals (36%) said their organizations had visibility only into Tier One suppliers — in other words, those that directly provide the final product. Just 22% said they had visibility into Tier Two suppliers, and a meager 11% said they had visibility across all tiers, regardless of supply-chain complexity.

GDPR & ISO 27001 Compliance Assessment Tool
Comprehensive tool for security leaders to evaluate GDPR and ISO 27001 compliance and prioritize remediation efforts
GDPRISO.com

MSP Attack Patterns and Tactics

Why MSPs Are Targeted

A common supply chain attack surface is managed service providers (MSPs). These could be providers offering networking, maintenance, or other computing services to an organization. An MSP typically gains deep access to its customer's networks. Attackers can exploit the MSPs weaker security measures and easily spread to their customer's networks.

Historical Context: Cognizant's Previous Breach

The 2023 Clorox incident wasn't Cognizant's first major security failure. In April 2020, Cognizant was hit by the Maze ransomware, affecting close to 300,000 employees and over $15 billion in revenue. As a managed service provider (MSP), Cognizant remotely manages many of its clients to fix issues, install patches, and monitor their security.

Data Exposure: In the data breach notifications, Cognizant warned sensitive personal information such as SSN, Tax IDs, financial information, and driver's licenses, and passports may have been stolen.

Social Engineering Attack Evolution

Scattered Spider's Sophisticated Tactics

Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).

Advanced Reconnaissance: To determine if their activities have been uncovered and maintain persistence, Scattered Spider threat actors often search the victim's Slack, Microsoft Teams, and Microsoft Exchange online for emails or conversations regarding the threat actor's intrusion and any security response.

Zero Trust Maturity Evaluator | Free Assessment Tool for CISOs
Evaluate your organization’s Zero Trust security maturity across 7 critical pillars with our free assessment tool. Get personalized recommendations for your security roadmap.
ZeroTrustCISO.com

AI-Enhanced Attacks

These Scattered Spider hackers have targeted organizations across multiple industries, including healthcare; leveraged legitimate, publicly available tools and other malware in their intrusions, including multiple ransomware variants; and have become known for their advanced social engineering techniques, including voice phishing and leveraging artificial intelligence (AI) to spoof victims' voices for obtaining initial access to targeted organizations.

Tutorial on Vendor Risk Assessment and Third-Party Risks for a CISO
Introduction In today’s interconnected business environment, companies rely heavily on third-party vendors for various services. While this can enhance efficiency and enable businesses to focus on their core competencies, it also introduces significant risks. Recent incidents, such as the CrowdStrike/Microsoft outage, underscore the critical importance of conducting thorough
Security Careers HelpSecurity Careers

Critical Risk Factors in MSP Relationships

Help Desk Vulnerabilities

The Cognizant-Clorox case demonstrates several critical vulnerabilities:

  1. Inadequate Identity Verification: Cognizant provided the service desk that Clorox employees could contact when they needed password recovery or reset assistance. Cognizant's operation of the Service Desk came with a simple, common-sense requirement: never reset anyone's credentials without properly authenticating them first.
  2. Process Bypass: The Agent further reset Employee 1's MFA credentials multiple times without any identity verification at all. And at no point did the Agent send the required emails to the employee or the employee's manager to alert them of the password reset.

Shared Responsibility Confusion

The shared responsibility model for most "XaaS" models means that even if your vendor is doing everything right, how you manage assets with that vendor can still get you into compliance trouble. For example, your SaaS vendor may be responsible for application security, but you remain accountable for any data or workload misconfigurations or breakdowns in network or endpoint security.

Accountability Issues

Third party engagements expand your compliance responsibility along with the capabilities or materials that the vendor relationship may bring. Indeed, longstanding research from McKinsey shows financial institutions, in particular, are being held responsible by regulators for the actions of their suppliers.

Ongoing Risk: Gartner reports more than 80% of legal and compliance leaders experience third party risks cropping up after initial onboarding and due diligence.

VendorScope AI: Revolutionizing Vendor Risk Management for Security Professionals
How AI is transforming one of cybersecurity’s most time-consuming tasks If you’ve ever been a CISO, security analyst, or procurement professional, you know the pain: vendor risk assessments. Those weeks-long processes of creating questionnaires, researching security postures, evaluating alternatives, and building proof-of-concept frameworks. It’s critical work that often feels like
Security Careers HelpSecurity Careers

Defense Strategies and Best Practices

CISA Recommendations for MSPs

The Cybersecurity and Infrastructure Security Agency (CISA), working with partners worldwide, has issued a new Cybersecurity Advisory (CSA) that describes 12 steps that MSPs can take to safeguard their businesses and end-customer systems.

Key Security Controls:

  1. Multi-Factor Authentication: Customers should ensure that their contractual arrangements mandate the use of MFA on the services and products they receive. Contracts should also require MFA to be enforced on all MSP accounts used to access customer environments.
  2. Network Segregation: Segregate customer data sets (and services, where applicable) from each other—as well as from internal company networks—to limit the impact of a single vector of attack. Do not reuse admin credentials across multiple customers.
  3. Access Controls: Customers should ensure MSP accounts are not assigned to internal administrator groups; instead, restrict MSP accounts to systems managed by the MSP. Grant access and administrative permissions on a need-to-know basis, using the principle of least privilege.

Third-Party Risk Management

Continuous Monitoring: Annual risk assessments of third-party providers used to be good enough, but those days are over.

Vendor Assessment: Vendor breach prevention relies on auditing the data stored with each vendor. Always keep track of the access each vendor has to your systems and any vulnerabilities that may exist through that sharing of data. Consider their readiness for an event, their insurance coverage, security protocols, track record with cyber incidents, financial resources, business continuity plans, and more.

Hiring the Right Cybersecurity Professionals: Lessons from the North Korean Insider Threat Incident
In the ever-evolving landscape of cybersecurity, the recent incident involving a U.S. security firm hiring an apparent nation-state hacker from North Korea has highlighted the critical importance of stringent hiring practices. This incident, where KnowBe4 unwittingly hired a North Korean IT worker posing as a legitimate candidate, underscores the
Security Careers HelpSecurity Careers

Social Engineering Countermeasures

Conduct Social Engineering Assessments: Regularly test help-desk policies and train employees to recognize and respond to social engineering attacks. These assessments ensure your organization is prepared to detect and neutralize attempts to manipulate human vulnerabilities.

Advanced Authentication: Adopt Risk-Based Authentication: Dynamically adjust access requirements based on user behavior, device, and location. Set policies to flag unusual activity, like logins from unknown locations, to prevent breaches before they escalate.

Broader Industry Impact

Supply Chain Attack Growth

According to a report by Statista, supply chain attacks grow 235% year over year. Now more than ever, it is imperative to take the necessary steps to protect your third-party attack surface.

Target Preference: Because of the expansive access to secondary victims offered through third-party breaches, large data servers, Cloud services, and SaaS providers are becoming massive targets for vendor breaches.

Tutorial: Building Secure Data Pipelines with SDLC/DevSecOps on AWS, Azure, and Google Cloud
In this tutorial, we’ll explore how to build secure data pipelines on AWS, Microsoft Azure, and Google Cloud using principles of Secure Development Lifecycle (SDLC) and DevSecOps. We’ll discuss the architecture and tools available on each cloud platform, and how to integrate security into every stage of your data pipeline.
Security Careers HelpSecurity Careers

MSP-Specific Vulnerabilities

Cybercriminals often target smaller vendors that may lack robust cybersecurity measures, using them as entry points to infiltrate larger enterprises. Common attack vectors include compromised software updates, unpatched vulnerabilities, phishing, and social engineering.

Conclusion and Recommendations

The Cognizant-Clorox breach represents a watershed moment in understanding MSP/MSSP third-party risks. The attack succeeded not through sophisticated technical exploits, but by exploiting fundamental weaknesses in human processes and trust relationships.

Critical Actions for Organizations:

  1. Enhanced Help Desk Security: Implement multi-layered identity verification for all credential reset requests
  2. Contractual Clarity: Define clear security responsibilities and incident response procedures in MSP contracts
  3. Continuous Monitoring: Move beyond annual assessments to real-time monitoring of third-party risks
  4. Social Engineering Training: Regular, targeted training for help desk and support personnel
  5. Zero Trust Implementation: Adopt zero-trust principles for all third-party access

The Future Threat Landscape

Scattered Spider is not a one-off campaign. It is a blueprint for a new generation of attackers who understand that access is easier bought or faked than breached. Organizations must recognize that identity has become the new perimeter, and traditional security models built around network defenses are insufficient against sophisticated social engineering attacks.

The $380 million price tag for Clorox serves as a stark reminder that third-party relationships, while essential for business operations, can become the weakest link in an organization's security posture. The key to defense lies not just in technology, but in robust processes, continuous vigilance, and a deep understanding of the human element in cybersecurity.

Read more