Thursday, November 14, 2024
HomeCyber AttackJumpCloud Hacked - Attackers Compromised The Systems Via Spear-phishing Attack

JumpCloud Hacked – Attackers Compromised The Systems Via Spear-phishing Attack

Published on

JumpCloud, an American commercial software company, has announced a data breach attributed to a spear phishing attack launched by a sophisticated nation-state-sponsored threat actor.

As a result, the threat actor (Nation-state) gained unauthorized access to JumpCloud systems to target a small and specific set of its customers.

Spear phishing is a type of phishing attack that targets a specific individual, organization, or business with a personalized email or message that looks authentic and comes from a trusted source.

- Advertisement - SIEM as a Service

JumpCloud’s cloud-based directory as a service platform is used to securely manage users’ identity, devices, and access across things such as VPN, Wi-Fi, Servers, and workstations.

A nation-state threat actor is a government-sponsored group that forcefully targets and gains illicit access to the networks of other governments or industry groups to steal, damage, and/or change information.

These types of attackers, in particular, go to extreme lengths to cover their tracks and make it difficult to trace their campaigns back to their country of origin. Often, they will plant “false flags” to mislead cyber investigators.

The goal of spear phishing is to get the target to reveal private information, download malware, or lose money.

On June 27 the organization discovered malicious activity in the internal system they accessed a specific area of the infrastructure but they did not find any evidence at that time about the impacts.

To avoid the potential danger, they took immediate measures to rebuild infrastructure and took a number of other actions to further secure our network and perimeter.

Also they combine with Incident Response (IR) partners to analyze the system, they also contacted law enforcement for investigation.

On July 5 at 3:35 UTC (Coordinated Universal Time) they found another unusual activity in commands frameworks.

At that time they have evidence of customer impacts so they worked with that impacted customers and help them with more security measures.

The organization decided to execute force-rotation of all admin API keys beginning on July 5 at 23:11 UTC.

They found that attackers inject the data into the command framework moreover they target only certain customers.

This incident made the organization learn to create and now share a list of IOCs (Indicators of Compromise) that we have observed for this campaign.

Also Read:

https://gbhackers.com/lazarus-attack-iis-servers
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Google Unveils New Intelligent, Real-Time Protections for Android Users

Google has once again raised the bar for mobile security by introducing two new...

Chinese National Faces 20 Years of Jail Time for Laundering Millions in Crypto

Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and...

Google to Issue CVEs for Critical Cloud Vulnerabilities

Google Cloud has announced a significant step forward in its commitment to transparency and...

GitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

Threat Actors Allegedly Claim Leak of 489 Million Lines of Instagram Data

A threat actor has allegedly scraped 489 million lines of Instagram user data, including...