A bit of over every week after JumpCloud reset API keys of shoppers impacted by a security incident, the corporate mentioned the intrusion was the work of a complicated nation-state actor.
The adversary “gained unauthorized entry to our techniques to focus on a small and particular set of our clients,” Bob Phan, chief data security officer (CISO) at JumpCloud, mentioned in a autopsy report. “The assault vector utilized by the risk actor has been mitigated.”
The U.S. enterprise software program agency mentioned it recognized anomalous exercise on June 27, 2023, on an inside orchestration system, which it traced again to a spear-phishing marketing campaign mounted by the attacker on June 22.
Whereas JumpCloud mentioned it took security steps to defend its community by rotating credentials and rebuilding its techniques, it wasn’t till July 5 when it detected “uncommon exercise” within the instructions framework for a small set of shoppers, prompting a forced-rotation of all admin API keys. The variety of affected clients was not disclosed.
Additional evaluation of the breach, per the corporate’s disclosure, unearthed the assault vector, which it described as a “information injection into the instructions framework.” It additionally mentioned the assaults have been extremely focused.
JumpCloud, nevertheless, didn’t clarify how the phishing assault it noticed in June is related to the information injection. It is at present not clear if the phishing emails led to the deployment of malware that facilitated the assault.
Extra indicators of compromise (IoCs) related to the assault reveals that the adversary leveraged domains named nomadpkg[.]com and nomadpkgs[.]com, a possible reference to the Go-based workload orchestrator used to deploy and handle containers.
“These are refined and protracted adversaries with superior capabilities,” Phan mentioned. JumpCloud has but to disclose the identify and the origins of the group allegedly liable for the incident.
