Thursday, November 14, 2024
HomeCyber AttackNorth Korean Hacker Group Breached US IT Firm JumpCloud

North Korean Hacker Group Breached US IT Firm JumpCloud

Published on

Malware protection

The cloud-based IT management firm JumpCloud was compromised by North Korean Lazarus Group hackers who appear to be financially motivated to steal cryptocurrencies.

Since at least 2009, this hacking group has been active, and it is well recognized for its international attacks against prominent targets, including banks, governments, and media organizations.

The company revealed that a nation-state actor was responsible for the system breach that compelled it to reset its clients’ API keys in June.

- Advertisement - SIEM as a Service

The company did not identify the country of origin of the hackers at the time, but now researchers at cybersecurity firms CrowdStrike and SentinelOne have identified the hackers as Lazarus, a well-known group known for attacking crypto entities like the Ronin Network and Harmony’s Horizon Bridge. 

Additionally, Tom Hegel of SentinelOne verified that the indications of compromise (IOCs) given by JumpCloud are “linked to a wide variety of activity we attribute to DPRK.”

He stated North Korea was responsible for the intrusion and speculated that the hackers might also be responsible for a recent social engineering effort that targeted GitHub users.

Mandiant incident responders also blamed North Korea for the breach. Also, the renowned Lazarus hacking group’s “Labyrinth Chollima,” a subgroup that was also connected to the recent supply-chain hacks on corporate phone manufacturer 3CX, has been blamed by CrowdStrike for the JumpCloud attack.

Specifics of the JumpCloud Breach

JumpCloud found a breach of its systems by a sophisticated nation-state-sponsored threat actor on June 27th due to a spear-phishing attempt.

JumpCloud quickly cycled credentials and rebuilt compromised infrastructure as a precaution, even though there was no immediate proof of a customer effect.

Later the reports say JumpCloud discovered “unusual activity in the commands framework for a small set of customers.” It also examined logs for indications of malicious activity and forced the rotation of all admin API keys while working with incident response partners and law enforcement.

JumpCloud gave information about the incident and revealed indications of compromise (IOCs) in an alert that was issued on July 12 to assist partners in securing their networks against assaults from the same group.

A North Korean APT group carried out the assault in June, JumpCloud has now confirmed.

According to Bob Phan, JumpCloud CISO, “Importantly, fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations that rely on the JumpCloud platform for a variety of identity, access, security, and management functions. All impacted customers have been notified directly”.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Google Unveils New Intelligent, Real-Time Protections for Android Users

Google has once again raised the bar for mobile security by introducing two new...

Chinese National Faces 20 Years of Jail Time for Laundering Millions in Crypto

Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and...

Google to Issue CVEs for Critical Cloud Vulnerabilities

Google Cloud has announced a significant step forward in its commitment to transparency and...

GitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Google Unveils New Intelligent, Real-Time Protections for Android Users

Google has once again raised the bar for mobile security by introducing two new...

Chinese National Faces 20 Years of Jail Time for Laundering Millions in Crypto

Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and...

Google to Issue CVEs for Critical Cloud Vulnerabilities

Google Cloud has announced a significant step forward in its commitment to transparency and...