Tag: hackers

From helpdesk to havoc: Why Clorox is suing Indian company for $380 million

In a San Francisco courtroom, the Clorox Company recently dropped a legal bombshell – a $380 million lawsuit against Indian-American information technology company Cognizant, alleging gross negligence in a 2023 cyberattack.

In the complaint dated July 22, 2025, Clorox contends a hacker simply called Cognizant’s helpdesk, lied about being an employee and was handed network credentials – no identity verification, no oversight, just a password transfer. The resulting cyberattack ended up paralyzing Clorox’s operations, costing upwards of $49 million in remediation and much more in lost business.

Offshoring ecosystem under the microscope

Cognizant, though officially headquartered in New Jersey, was founded in Chennai, India in 1994, and now employs over 250,000 people across India, providing everything from software development to helpdesk services for global corporations. Industry analysts have warned that shifting U.S. companies’ sensitive customer data offshore exposes Americans to significant privacy risks. India lacks comprehensive data privacy laws or an enforcement body like the Federal Trade Commission.

While offshoring offers cheap labor and scalability, it also creates layers of separation between U.S.-based clients and the employees handling their data. Those layers can conceal critical weaknesses.

Clorox case: A failed firewall

In Clorox’s telling, the hacker didn’t crack advanced encryption or “spear-phish” executives. He just called Cognizant on the phone and lied about who and what he was. That was enough. Cognizant agents reset the account, handed over passwords and reopened Clorox’s VPN access without a single identity check. Agents reportedly said phrases like: “Here’s the password … Welcome …”

Cognizant disputes the claim, saying its contract with Clorox, dating back to 2013, covered only helpdesk tasks, not broader cybersecurity responsibilities. Cognizant characterized Clorox’s own defenses as “inept,” calling the attack partly Clorox’s fault.

Keep reading

In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network

Hackers planted a Raspberry Pi equipped with a 4G modem in the network of an unnamed bank in an attempt to siphon money out of the financial institution’s ATM system, researchers reported Wednesday.

The researchers with security firm Group-IB said the “unprecedented tactic allowed the attackers to bypass perimeter defenses entirely.” The hackers combined the physical intrusion with remote access malware that used another novel technique to conceal itself, even from sophisticated forensic tools. The technique, known as a Linux bind mount, is used in IT administration but had never been seen used by threat actors. The trick allowed the malware to operate similarly to a rootkit, which uses advanced techniques to hide itself from the operating system it runs on.

End goal: Backdooring the ATM switching network

The Raspberry Pi was connected to the same network switch used by the bank’s ATM system, a position that effectively put it inside the bank’s internal network. The goal was to compromise the ATM switching server and use that control to manipulate the bank’s hardware security module, a tamper-resistant physical device used to store secrets such as credentials and digital signatures and run encryption and decryption functions.

The group behind the attack is tracked in the industry under the name UNC2891. The financially motivated threat group has been active since at least 2017 in targeting the infrastructures of banks. It has earned a well-deserved reputation for proficiency in its use of custom malware in attacks targeting Linux, Unix, and Oracle Solaris systems.

In 2022, Google’s Mandiant division said it had observed UNC2891 spending years inside a targeted network, during which time the intrusion went largely unnoticed. Mandiant researchers went on to identify CakeTap, a custom rootkit for Solaris systems. Among other things, CakeTap manipulated messages passing through an infected ATM switching network, most likely for use in unauthorized cash withdrawals using fraudulent bank cards. Mandiant documented two other custom pieces of malware, which the company named SlapStick and TinyShell.

Group-IB’s report on Wednesday shows that UNC2891 is still active and finding new and advanced ways to burrow into bank networks without detection.

“One of the most unusual elements of this case was the attacker’s use of physical access to install a Raspberry Pi device,” Group-IB Senior Digital Forensics and Incident Response Specialist Nam Le Phuong wrote. “This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network. The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data.”

To maintain persistence, UNC2891 also compromised a mail server because it had constant Internet connectivity. The Raspberry Pi and the mail server backdoor would then communicate by using the bank’s monitoring server as an intermediary. The monitoring server was chosen because it had access to almost every server within the data center.

Keep reading

Did Microsoft Hand China Front Row Access to the Pentagon?

Let’s set the stage: Imagine Fort Knox, doors flung wide open, while a tour group from the Chinese Communist Party strolls through the vault with full access badges. Ridiculous? Sure. But swap out gold for data, and you’re not far off from what just happened with Microsoft, China-based engineers, and — wait for it — the U.S. military.

According to reports, we now know that Microsoft, the federal government’s longtime tech golden child, may have handed China a backstage pass to America’s most sensitive defense systems. Not through hacking or espionage — but through corporate hubris, off-the-books programming, and a terrifying lack of oversight.

A dangerous Microsoft initiative allowed China-based engineers working for Microsoft access to elements of the software powering our military’s digital infrastructure. And just to really spice things up, this may not have been properly disclosed to the Department of Defense.

In response, Senator Tom Cotton (R-AR) fired off a letter demanding answers. He wants to know what kind of access those engineers had, what vetting (if any) was done, and how a critical contractor failed to flag a program that sounds like it was cooked up in a spy novel.

This isn’t about paranoia — it’s about pattern recognition. China has been engaged in digital warfare against the West for years. From the OPM breach to targeting our infrastructure and tech companies with AI-driven cyberattacks, they’ve made it clear: they want our secrets, our systems, and ultimately, control of the digital battlefield.

And what have we done in response? We’ve outsourced vital software development to a tech company that couldn’t be bothered to mention Chinese nationals working on Defense Department tools.

Let that sink in.

Even worse, this comes amid a staggering spike in Microsoft vulnerabilities. The company’s systems have been peppered with Common Vulnerabilities and Exposures (CVEs) — some of them so severe they allow unauthorized access with a single email. One CVE error allowed attackers to exploit Outlook without user interaction. Just receiving the message triggered it. No click, no download — just a digital grenade in your inbox.

If you think a foreign adversary wouldn’t weaponize those kinds of flaws, bless your heart. But the rest of us should be alarmed that these exploits — paired with offshored engineering — could mean that China didn’t need to break into the Pentagon’s systems. They may have simply been invited in.

This crisis underscores a larger failure: our total underestimation of endpoint security. In a world where cyberattacks can be launched from an internet café or a basement across the globe, the last line of defense isn’t just software firewalls — it’s every connected device in the network. And right now, that defense is leaking like a sieve.

Keep reading

Hackers breach intelligence website used by CIA

Unidentified hackers recently compromised a major intelligence website used by the CIA and other agencies to submit details of sensitive contracts, according to the National Reconnaissance Office, the spy satellite service that runs the site.

The breach targeted proprietary intellectual property and personal information submitted on the Acquisition Research Center website in support of several innovative CIA spying programs.

In addition to the intelligence website hack, Microsoft revealed this week that Chinese state hackers compromised the Department of Energy’s National Nuclear Security Administration, a central nuclear weapons agency.

National Reconnaissance Office spokesman told The Washington Times: “We can confirm that an incident involving our unclassified Acquisition Research Center website is currently being investigated by federal law enforcement. We do not comment on ongoing investigations.”

The extent of the breach is not fully known, but people familiar with the activity said hackers likely obtained information on key technologies for CIA operations.

Other potential areas of compromise could include the Space Force, its efforts to build surveillance satellites and space weapons, and the Golden Dome missile defense program.

Data from one highly sensitive program, Digital Hammer, was compromised, said people familiar with the hacking.

Digital Hammer compiles cutting-edge technologies for human intelligence gathering, surveillance and counterintelligence operations. The program focuses on the threat of Chinese intelligence and information operations.

Keep reading

Tea App Leak Shows Why UK’s Digital ID Age Verification Laws are Dangerous

The UK’s Online “Safety” Act, legislation marketed as a safety net for children, was rolled out with all the foresight of a toddler launching a space program. Now, any site hosting “potentially harmful” content could be required to collect real-world ID, face scans, or official documents from users.

What could go wrong? Ask Tea, the women-centric dating gossip app that went viral by promising empowerment, then faceplanted into one of the most dangerous data breaches of the year. Their Firebase server, housing tens of thousands of selfies and government-issued IDs, was left wide open to anyone with a link.

This is the real-world consequence of lawmakers selling digital ID mandates as a solution to online harm: private companies getting access to sensitive personal data with all the discretion of a parade float, and then dropping it into the laps of the entire internet.

Let’s pause for a moment and appreciate the cosmic genius it takes to build an app allegedly designed to protect women, and then expose all of their private data to the world with the finesse of a first-time hacker copying a URL.

Tea, the dating app that rocketed to the top of the App Store by selling anonymity, safety, and empowerment, before face-planting into the Firebase server floor, spraying driver’s licenses and selfies like a busted confetti cannon.

Keep reading

Will An Iran Cyber Attack Panic Usher In A New Patriot Act?

In a 2007 interview, retired General Wesley Clark revealed that the Pentagon had a plan to “take out seven countries in five years”—Iraq, Syria, Lebanon, Libya, Somalia, Sudan, and Iran. Over the following two decades, the first six were bombed, destabilized, or collapsed into civil war. Only Iran remains standing—resistant to Western central banking, culturally hostile to global usury, and guarding some of the world’s most ancient archeological sites.

Now, major media outlets such as Fox News and the Independent warn of a looming cyberwar, and we’re told to brace for a potential Iranian cyberattack on the US or its allies, aimed at critical infrastructure such as power and water systems. But rather than ask how to defend against it, we should ask something more: Is Iran really the culprit? Or is it the designated scapegoat for an event designed to advance elite control both abroad and at home?

Recent history provides a clear pattern: When crises erupt, state and corporate power rapidly consolidate. After 9/11, the US government ushered in the Patriot Act, warrantless surveillance, and indefinite detention, all in the name of security. The 2008 financial collapse delivered historic bank bailouts and accelerated economic consolidation. In 2020, the covid pandemic normalized lockdowns, QR-code health passes, and calls for digital identity systems tied to medical records. In the wake of the Capitol riot, proposals exploded for increased censorship, AI-powered surveillance, and policing of online speech. As the author Naomi Klein outlined in her seminal work, The Shock Doctrine, elites routinely exploit crises to fast-track policies that populations would otherwise reject.

The current cyber panic fits the mold. If a catastrophic digital event were to hit—disabling hospitals, banks, or energy systems—the solution being quietly preloaded into public discourse is the rollout of global “Digital ID” infrastructure. The World Economic Forum has explicitly highlighted how global digital IDs for people and objects are essential for trade digitization and establishing a global digital economy. In its Digital Identity Blueprint, the WEF outlines a framework linking online activity, financial services, travel permissions, and even behavioral data to a single identity. But what’s sold as “security” is, in fact, the foundation of a technocratic control grid.

If implemented, Digital ID would function as a master key to everything: your money, health records, online access, and even your ability to travel. In time, it could merge with carbon quotas and social credit scoring systems like those piloted in China. An algorithm, not a constitution, would govern your rights. One wrong opinion, and you risk being shut out of society, not by police, but by code. In a world where social media mobs enforce ideological purity, public humiliation becomes the new policing mechanism. You self-censor, you self-surveil, and eventually, you self-govern—on someone else’s terms.

But there’s a core problem with the “Iran did it” cyberattack narrative: Iran lacks the capability. Iran’s cyber warfare infrastructure is far less sophisticated than that of the US, Israel, Russia, or China. The Harvard Belfer Center’s National Cyber Power Index places Iran low in its global rankings. While Iran may be able to execute nuisance-level hacks, it is not in a position to disable critical US infrastructure. So if a major cyberattack does occur, blaming Iran may serve a political purpose—not reflect reality.

Keep reading

China-Linked Hackers Breach US Nuclear Weapons Agency In Sophisticated Operation

The National Nuclear Security Administration (NNSA) has been hit by a sophisticated cyberattack that exploited a previously unknown vulnerability in Microsoft SharePoint, and is being widely described by one of the most serious breaches of US defense infrastructure this year. Fingers in the West are pointing to Beijing.

Hackers believed linked to the Chinese government used a zero-day exploit targeting on-premises versions of SharePoint to infiltrate over 50 organizations, including the agency responsible for the Navy’s nuclear submarine reactors. China is vehemently denying the charge.

The NNSA oversees both the production of nuclear reactors for submarines and the maintenance of the US nuclear arsenal. Cybersecurity experts are currently describing what’s known as an advanced remote code execution (RCE) attack.

The vulnerability reportedly affected SharePoint Server 2019 and the Subscription Edition, which allowed attackers to bypass security protocols and execute arbitrary commands on targeted systems, as described in Bloomberg.

The US Department of Energy is well-known to use Microsoft 365 cloud systems for a lot of its SharePoint work. “The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems,” a Department of Energy spokesperson conveyed in a statement to Bloomberg. “A very small number of systems were impacted. All impacted systems are being restored.”

It’s believed the hackers were able to gain unauthorized access, steal data, collect login credentials, and potentially move deeper into connected networks; however, the Department of Energy has claimed no classified or sensitive nuclear data was compromised in the breach.

Keep reading

Microsoft knew of SharePoint server exploit but failed to effectively patch it

A security patch released by Microsoft (MSFT.O) last month failed to fully fix a critical flaw in U.S. tech giant’s SharePoint server software that had been identified in May, opening the door to a sweeping global cyber espionage operation.

It remains unclear who is behind the ongoing operation, which targeted around 100 organisations over the weekend. But Alphabet’s (GOOGL.O) Google, which has visibility into wide swathes of internet traffic, said it tied at least some of the hacks to a “China-nexus threat actor”.

The Chinese Embassy in Washington did not respond to a Reuters request for comment. Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies carrying out hacking operations.

Contacted on Tuesday, Microsoft was not immediately able to provide comment on the patch and its effectiveness.

The vulnerability that facilitated the attack was first identified in May at a hacking competition in Berlin organised by cybersecurity firm Trend Micro (4704.T), which offered cash bounties for the discovery of computer bugs in popular software.

It offered a $100,000 prize for “zero day” exploits – so called because they leverage previously undisclosed digital weaknesses – that could be used against SharePoint, Microsoft’s flagship document management and collaboration platform.

A researcher working for the cybersecurity arm of Viettel, a telecommunications firm operated by Vietnam’s military, identified a SharePoint bug at the event, dubbed it ‘ToolShell’ and demonstrated a method of exploiting it.

The researcher was awarded $100,000 for the discovery, according to a post on X by Trend Micro’s “Zero Day Initiative”. A spokesperson for Trend Micro did not immediately respond to Reuters’ requests for comment regarding the competition on Tuesday.

Microsoft subsequently said in a July 8 security update that it had identified the bug, listed it as a critical vulnerability, and released patches to fix it.

Keep reading

Report: Microsoft’s Chinese Engineers Access Pentagon Systems with Minimal Oversight from ‘Digital Escorts’

Microsoft is using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel — leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found.

A ProPublica investigation has uncovered that Microsoft is relying on engineers based in China to help maintain sensitive computer systems for the U.S. Department of Defense, with only minimal oversight from U.S. personnel. This arrangement, which Microsoft deems critical to winning the Pentagon’s cloud computing business, could potentially expose some of the country’s most sensitive data to espionage and hacking by China.

The system relies on U.S. workers with security clearances, known as “digital escorts,” to supervise the Chinese engineers and serve as a firewall against malicious activities. However, ProPublica found that these escorts often lack the advanced technical skills needed to effectively monitor the foreign workers, who possess far greater coding expertise. Some escorts are ex-military with little software engineering experience, earning barely above minimum wage.

Keep reading

Google finds custom backdoor being installed on SonicWall network devices

Researchers from the Google Threat Intelligence Group said that hackers are compromising SonicWall Secure Mobile Access (SMA) appliances, which sit at the edge of enterprise networks and manage and secure access by mobile devices.

The targeted devices are end of life, meaning they no longer receive regular updates for stability and security. Despite the status, many organizations continue to rely on them. That has left them prime targets by UNC6148, the name Google has given to the unknown hacking group.

“GTIG recommends that all organizations with SMA appliances perform analysis to determine if they have been compromised,” a report published Wednesday said, using the abbreviation for Google Threat Intelligence Group. “Organizations should acquire disk images for forensic analysis to avoid interference from the rootkit anti-forensic capabilities. Organizations may need to engage with SonicWall to capture disk images from physical appliances.”

Lacking specifics

Many key details remain unknown. For one thing, the attacks are exploiting leaked local administrator credentials on the targeted devices, and so far, no one knows how the credentials were obtained. It’s also not known what vulnerabilities UNC6148 is exploiting. It’s also unclear precisely what the attackers are doing after they take control of a device.

The lack of details is largely the result of the functioning on Overstep, the name of custom backdoor malware UNC6148 is installing after initial compromise of the devices. Overstep allows the attackers to selectively remove log entries, a technique that is hindering forensic investigation. Wednesday’s report also posits that the attackers may be armed with a zero-day exploit, meaning it targets a vulnerability that’s currently publicly unknown. Possible vulnerabilities UNC6148 may be exploiting include:

  • CVE-2021-20038: An unauthenticated remote code execution made possible by a memory corruption vulnerability.
  • CVE-2024-38475: An unauthenticated path traversal vulnerability in Apache HTTP Server, which is present in the SMA 100. It can be exploited to extract two separate SQLite databases that store user account credentials, session tokens, and seed values for generating one-time passwords.
  • CVE-2021-20035: An authenticated remote code execution vulnerability. Security firm Arctic Wolf and SonicWall reported in April that this vulnerability was under active exploitation.
  • CVE-2021-20039: An authenticated remote code execution vulnerability. There have been reports that this vulnerability was under active exploitation to install ransomware in 2024.
  • CVE-2025-32819: An authenticated file deletion vulnerability that can be exploited to cause a targeted device to revert the built-in administrator credentials to a password so that attackers can gain administrator access.

Keep reading