Ransomware Gangs Leverage RMM Tools for Attacks as Clorox Sues Cognizant Over Password-Sharing Breach

In a concerning escalation of cyber threats, ransomware gangs are increasingly exploiting Remote Monitoring and Management (RMM) tools to infiltrate and compromise organizations, enabling stealthy persistence, lateral movement, and data exfiltration. This tactic, highlighted in recent investigations by Cato CTRL on July 22, 2025, mirrors broader trends where legitimate IT tools are weaponized for malicious ends. In a related development, cleaning products giant Clorox has filed a $380 million lawsuit against IT provider Cognizant, alleging that help desk staff inadvertently handed over employee passwords to hackers during a 2023 cyberattack, underscoring vulnerabilities in outsourced IT support. Both issues highlight the risks of trusted tools and services becoming entry points for sophisticated attacks, urging organizations to bolster security protocols.

Ransomware Exploitation of RMM Tools

RMM tools, designed for IT teams to manage remote devices efficiently, have become a favored vector for ransomware operators due to their inherent trust and powerful capabilities. Cato CTRL's threat research, based on incidents from late 2024 to early 2025, revealed how groups like Hunters International, Medusa, and unidentified actors abused tools such as AnyDesk, ScreenConnect, and SimpleHelp in real-world attacks on U.S. and U.K. organizations in manufacturing, construction, and non-profit sectors.Key observations include:

• Initial Access and Persistence: Attackers install RMM tools post-initial compromise (e.g., via phishing or exploits) to maintain long-term access, often for weeks or months before deploying ransomware. For instance, Hunters International used AnyDesk and ScreenConnect in a Q3 2024 attack on a U.K. manufacturer.
• Lateral Movement and Exfiltration: Tools like SimpleHelp enabled reconnaissance with Bloodhound and data theft before encryption, as seen in a Q1 2025 non-profit breach. Medusa leveraged ScreenConnect for similar tactics in a Q4 2024 construction firm attack.
• Evasion Techniques: RMMs blend with legitimate traffic, complicating detection; attackers rotate tools to avoid signatures.

CISA's #StopRansomware advisory on Interlock ransomware also notes RMM abuse for initial access and persistence. Earlier incidents, like DragonForce exploiting SimpleHelp in May 2025 to target MSP clients, further illustrate this trend.

Clorox's Lawsuit Against Cognizant: A Password-Sharing Fiasco

In a stark example of human error enabling breaches, Clorox filed a lawsuit on July 22, 2025, in California federal court against Cognizant, claiming the IT provider's help desk staff provided hackers with employee passwords without proper verification, facilitating a devastating 2023 cyberattack by the Scattered Spider group. The attack disrupted operations, causing product shortages and $380 million in damages, including $50 million in remediation costs.Details from the lawsuit:

• Incident Mechanics: Hackers, posing as employees, called Cognizant's help desk and requested password resets. Agents complied without verifying identities, granting access to Clorox's network. Transcripts show agents volunteering passwords after simple requests.
• Negligence Allegations: Clorox accuses Cognizant of failing to enforce password-reset protocols, neglecting multi-factor authentication, and ignoring security best practices.
• Broader Context: The breach, attributed to Scattered Spider, involved no advanced techniques—just social engineering—highlighting risks in outsourced IT services.

This lawsuit ties into the RMM theme, as both involve misuse of trusted IT management processes for unauthorized access.

Implications: Heightened Risks in IT Management and Outsourcing

These developments amplify concerns over the dual-use nature of RMM tools and outsourced support, where legitimate access mechanisms become attack vectors. Ransomware attacks rose 3% in 2024, with 2025 projections indicating further growth, driven by tools like RMMs enabling efficient, evasive operations. For organizations, this means potential data breaches, operational downtime, and financial losses, as seen in Clorox's case. The Clorox incident also raises questions about vendor accountability in cybersecurity, potentially influencing future contracts and regulations.

Defenses: Strengthening IT Tools and Support Protocols

To counter these threats:

• RMM Monitoring: Implement behavioral analytics and IPS signatures for anomalous RMM activity; restrict tool usage to whitelisted scenarios.
• Vendor Oversight: Enforce strict verification in outsourced help desks; mandate MFA and regular audits.
• General Best Practices: Use EDR tools, network segmentation, employee training on social engineering, and immutable backups.
• Incident Response: Follow CISA's #StopRansomware guidelines for rapid detection and recovery.

As cyber threats evolve, organizations must treat IT tools and vendors as potential weak links, prioritizing proactive security to mitigate these risks. For the latest advisories, consult CISA and vendor resources.