Tuesday, December 24, 2024
HomeCyber AttackNorth Korean Hacker Group Breached US IT Firm JumpCloud

North Korean Hacker Group Breached US IT Firm JumpCloud

Published on

SIEM as a Service

The cloud-based IT management firm JumpCloud was compromised by North Korean Lazarus Group hackers who appear to be financially motivated to steal cryptocurrencies.

Since at least 2009, this hacking group has been active, and it is well recognized for its international attacks against prominent targets, including banks, governments, and media organizations.

The company revealed that a nation-state actor was responsible for the system breach that compelled it to reset its clients’ API keys in June.

- Advertisement - SIEM as a Service

The company did not identify the country of origin of the hackers at the time, but now researchers at cybersecurity firms CrowdStrike and SentinelOne have identified the hackers as Lazarus, a well-known group known for attacking crypto entities like the Ronin Network and Harmony’s Horizon Bridge. 

Additionally, Tom Hegel of SentinelOne verified that the indications of compromise (IOCs) given by JumpCloud are “linked to a wide variety of activity we attribute to DPRK.”

He stated North Korea was responsible for the intrusion and speculated that the hackers might also be responsible for a recent social engineering effort that targeted GitHub users.

Mandiant incident responders also blamed North Korea for the breach. Also, the renowned Lazarus hacking group’s “Labyrinth Chollima,” a subgroup that was also connected to the recent supply-chain hacks on corporate phone manufacturer 3CX, has been blamed by CrowdStrike for the JumpCloud attack.

Specifics of the JumpCloud Breach

JumpCloud found a breach of its systems by a sophisticated nation-state-sponsored threat actor on June 27th due to a spear-phishing attempt.

JumpCloud quickly cycled credentials and rebuilt compromised infrastructure as a precaution, even though there was no immediate proof of a customer effect.

Later the reports say JumpCloud discovered “unusual activity in the commands framework for a small set of customers.” It also examined logs for indications of malicious activity and forced the rotation of all admin API keys while working with incident response partners and law enforcement.

JumpCloud gave information about the incident and revealed indications of compromise (IOCs) in an alert that was issued on July 12 to assist partners in securing their networks against assaults from the same group.

A North Korean APT group carried out the assault in June, JumpCloud has now confirmed.

According to Bob Phan, JumpCloud CISO, “Importantly, fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations that rely on the JumpCloud platform for a variety of identity, access, security, and management functions. All impacted customers have been notified directly”.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...