A sophisticated nation-state adversary with advanced capabilities attacked Jumpcloud with a spear phishing attack.
JumpCloud is a US-based zero-trust directory platform that customers use to authenticate, authorize, and manage users, devices, and applications.
On July 12, JumpCloud disclosedthat its systems were breached by unknown threat actors targeting a small set of customers on its official page.
The chief information security officer BOB confirmed they took appropriate steps and mitigated the threat on the customers’ side.
Detailed Report:
On June 27 at 15:13 UTC, the team discovered abnormal activity on their internal orchestration system.
Further analysis and investigation of the team revealed that their infrastructure was perpetrated by unauthorized access through a phishing attempt a month ago.
Immediately, they activated their incident response team to investigate all the logs to analyze the threat’s further impact and potential activity.
As they haven’t seen any impact on the customer’s side, however, as a precautionary measure, they rotated credentials and rebuilt infrastructure.
Additionally, They are connected with the law enforcement team with their investigation plan.
On July 5 at 03:35 UTC, they reset and generated new API keys for their customers as they discovered a small set of customers were impacted.
Also, they worked closely with affected customers to fix the threat and mitigate further activity of the APT.
This is a targeted attack where specific customers of Jumpcloud were targeted by the data injection method on its command framework.
“Our strongest line of defense is through information sharing and collaboration to secure their environments against this threat,” said Bob.
The Jumpcloud shared a detailed list of IOCs discovered on its official page. They are working further with government and industry partners to share information about this threat.
Indicator of compromise
SHA256:9151ff77b65eeacd5cdddd13c041db3ad9818fd2aebe05d8745227fac7e516b8SHA1: 92480e506d51d920fcc1d4dba7206c3185317f61MD5: 3a9c24c92c221658a8bf9ce61d758e1a
SHA256:4dc71b659c9277c7bb704392f8af5b6b2fbc9a66d3ad80d8cb4df0bd686f0e86SHA1: cb0e71340f963f7f2f404a0431d82ac809d2b15dMD5: b8724109e5473b4ca79a13c33b865e32
