A sophisticated nation-state adversary with advanced capabilities attacked Jumpcloud with a spear phishing attack.
JumpCloud is a US-based zero-trust directory platform that customers use to authenticate, authorize, and manage users, devices, and applications.
On July 12, JumpCloud disclosed that its systems were breached by unknown threat actors targeting a small set of customers on its official page.
The chief information security officer BOB confirmed they took appropriate steps and mitigated the threat on the customers’ side.
Detailed Report:
On June 27 at 15:13 UTC, the team discovered abnormal activity on their internal orchestration system.
Further analysis and investigation of the team revealed that their infrastructure was perpetrated by unauthorized access through a phishing attempt a month ago.
Immediately, they activated their incident response team to investigate all the logs to analyze the threat’s further impact and potential activity.
As they haven’t seen any impact on the customer’s side, however, as a precautionary measure, they rotated credentials and rebuilt infrastructure.
Additionally, They are connected with the law enforcement team with their investigation plan.
On July 5 at 03:35 UTC, they reset and generated new API keys for their customers as they discovered a small set of customers were impacted.
Also, they worked closely with affected customers to fix the threat and mitigate further activity of the APT.
This is a targeted attack where specific customers of Jumpcloud were targeted by the data injection method on its command framework.
“Our strongest line of defense is through information sharing and collaboration to secure their environments against this threat,” said Bob.
The Jumpcloud shared a detailed list of IOCs discovered on its official page. They are working further with government and industry partners to share information about this threat.
Indicator of compromise
SHA256:9151ff77b65eeacd5cdddd13c041db3ad9818fd2aebe05d8745227fac7e516b8
SHA1: 92480e506d51d920fcc1d4dba7206c3185317f61
MD5: 3a9c24c92c221658a8bf9ce61d758e1a
SHA256:4dc71b659c9277c7bb704392f8af5b6b2fbc9a66d3ad80d8cb4df0bd686f0e86
SHA1: cb0e71340f963f7f2f404a0431d82ac809d2b15d
MD5: b8724109e5473b4ca79a13c33b865e32
Source: https://cybersecuritynews.com/jumpcloud-hacked/