Friday, December 1, 2023

North Korean Hacker Group Breached US IT Firm JumpCloud

The cloud-based IT management firm JumpCloud was compromised by North Korean Lazarus Group hackers who appear to be financially motivated to steal cryptocurrencies.

Since at least 2009, this hacking group has been active, and it is well recognized for its international attacks against prominent targets, including banks, governments, and media organizations.

The company revealed that a nation-state actor was responsible for the system breach that compelled it to reset its clients’ API keys in June.

The company did not identify the country of origin of the hackers at the time, but now researchers at cybersecurity firms CrowdStrike and SentinelOne have identified the hackers as Lazarus, a well-known group known for attacking crypto entities like the Ronin Network and Harmony’s Horizon Bridge. 

Additionally, Tom Hegel of SentinelOne verified that the indications of compromise (IOCs) given by JumpCloud are “linked to a wide variety of activity we attribute to DPRK.”

He stated North Korea was responsible for the intrusion and speculated that the hackers might also be responsible for a recent social engineering effort that targeted GitHub users.

Mandiant incident responders also blamed North Korea for the breach. Also, the renowned Lazarus hacking group’s “Labyrinth Chollima,” a subgroup that was also connected to the recent supply-chain hacks on corporate phone manufacturer 3CX, has been blamed by CrowdStrike for the JumpCloud attack.

Specifics of the JumpCloud Breach

JumpCloud found a breach of its systems by a sophisticated nation-state-sponsored threat actor on June 27th due to a spear-phishing attempt.

JumpCloud quickly cycled credentials and rebuilt compromised infrastructure as a precaution, even though there was no immediate proof of a customer effect.

Later the reports say JumpCloud discovered “unusual activity in the commands framework for a small set of customers.” It also examined logs for indications of malicious activity and forced the rotation of all admin API keys while working with incident response partners and law enforcement.

JumpCloud gave information about the incident and revealed indications of compromise (IOCs) in an alert that was issued on July 12 to assist partners in securing their networks against assaults from the same group.

A North Korean APT group carried out the assault in June, JumpCloud has now confirmed.

According to Bob Phan, JumpCloud CISO, “Importantly, fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations that rely on the JumpCloud platform for a variety of identity, access, security, and management functions. All impacted customers have been notified directly”.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.


Latest articles

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles