Just over a week after JumpCloud reset API keys for customers affected by the security incident, the company said the intrusion was the work of a sophisticated state-of-the-art attacker.
JumpCloud’s chief information security officer (CISO), Bob Huang, said in a postmortem report that the attackers “gained unauthorized access to our systems by targeting a small number of specific customers.” “The attack vectors used by threat actors have been mitigated.”
A US enterprise software company has identified anomalous activity on its internal orchestration system on June 27, 2023, and announced that the activity was traced back to a spear-phishing campaign launched by the attackers on June 22nd.
JumpCloud said it took security steps to protect its network by rotating credentials and rebuilding its system, but it wasn’t until July 5 that JumpCloud announced in its command framework for a small number of customers, ” “Abnormal activity” was detected and a forced rotation was initiated. All admin API keys. The number of affected customers was not disclosed.
According to the company’s disclosure, further analysis of this breach revealed an attack vector dubbed “data injection into the command framework.” He also said the attack was highly targeted.
However, JumpCloud did not explain how the phishing attacks it discovered in June were related to data injection. It’s not clear at this time whether the phishing emails led to the deployment of the malware that facilitated the attack.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
Additional Indicators of Compromise (IoC) associated with this attack indicate that the attacker took advantage of a domain named nomadpkg.[.]com and nomadpkgs[.]com could be a reference to a Go-based workload orchestrator used to deploy and manage containers.
“These are highly capable, sophisticated and relentless opponents,” Huang said. JumpCloud has not yet disclosed the name and origin of the group that is believed to be responsible for the incident.
