JumpCloud says 'nation state' gang hit some customers
Enough to make you hopping mad
Updated JumpCloud says a "sophisticated nation-state" attacker broke into its IT systems and targeted some of its customers.
The identity and access management provider, particularly popular with sysadmins wrangling Macs on corporate networks, said it first discovered signs of an intrusion on June 27. The biz at the time determined persons unknown got "unauthorized access to a specific area of our infrastructure" using a "sophisticated spear-phishing campaign" that began five days prior.
JumpCloud, again at that time, didn't have any evidence that customer data or accounts were affected, and to be safe rotated its credentials, rebuilt the compromised infrastructure, and "took a number of other actions to further secure our network and perimeter," CISO Bob Phan penned in a postmortem this month.
The company also hired an incident response firm and called in law enforcement to assist with its investigation of the intrusion, Phan said. Then JumpCloud got the bad news.
At 0335 UTC on July 5, the biz spotted "unusual activity in the commands framework for a small set of customers," Phan wrote. In response, it performed forced rotation of all admin API keys 20 hours later and began working with affected customers.
"Continued analysis uncovered the attack vector: data injection into our commands framework," according to the writeup. "The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers." This is hardly reassuring, since it indicates a highly focussed attack crew.
- Quick: Manually patch this Zimbra bug that's under attack
- Recycling giant TOMRA pulls systems offline following 'extensive cyberattack'
- Microsoft admits unauthorized access to Exchange Online, blames Chinese gang
- Miscreants exploit five Microsoft bugs as Windows giant addresses 130 flaws
JumpCloud did not respond to The Register's questions about the snafu, including what kinds of customers were targeted and how many of them were affected, what data was accessed in the attack, who was responsible for the break-in, and what the miscreants' motivation appeared to be.
A spokesperson instead sent the following statement
JumpCloud recently experienced a cybersecurity incident that impacted a small and specific set of our customers. Upon detecting the incident, we immediately took action based on our incident response plan to mitigate the threat, secure our network and perimeter, communicate with our customers, and engage law enforcement.
As always, our entire JumpCloud team remains vigilant about new and emerging threats, and we are confident in our robust security controls and people.
In addition to the incident report, JumpCloud also published indicators of compromise (IOCs) that it observed. It says it will update the list, which includes IP addresses, domain names, and cryptographic hashes of stuff that the attackers used, if it finds further evidence.
The JumpCloud security breach follows a series of other high-profile attacks by nation-state sponsored gangs including a Zimbra email bug under exploit, likely by Russian spies, and an alleged China-based group's attack on Microsoft's hosted email services. ®
Updated to add on July 20
It's understood North Korean government miscreants broke into JumpCloud and targeted cryptocurrency customers in a bid to steal their digital assets.
Austin Larsen, a senior incident response consultant at Google-owned Mandiant, told us it is assisting an organization affected by the cyber-attack:
Mandiant is currently working with a downstream victim that was compromised as a result of JumpCloud intrusion.
Based on our initial analysis, Mandiant assesses with high confidence that this is a cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau (RGB), targeting companies with cryptocurrency verticals to obtain credentials and reconnaissance data.
This is a financially motivated threat actor that we’ve seen increasingly target the cryptocurrency industry and various blockchain platforms. The blending and sharing of DPRK’s cyber infrastructure makes attribution oftentimes difficult, however targeting remains consistent and we anticipate there are other victims that are dealing with this.
Mandiant has promised more details next week. Crowdstrike is working with JumpCloud to probe the intrusion.
Also, JumpCloud has attempted to downplay the break-in, saying: "Fewer than five customers were impacted and fewer than 10 devices total were impacted out of more than 200,000 organizations who rely on the JumpCloud. All impacted customers have been notified directly."