North Korean Hacker Group Breached US IT Firm JumpCloud

The cloud-based IT management firm JumpCloud was compromised by North Korean Lazarus Group hackers who appear to be financially motivated to steal cryptocurrencies.

Since at least 2009, this hacking group has been active, and it is well recognized for its international attacks against prominent targets, including banks, governments, and media organizations.

The company revealed that a nation-state actor was responsible for the system breach that compelled it to reset its clients’ API keys in June.

The company did not identify the country of origin of the hackers at the time, but now researchers at cybersecurity firms CrowdStrike and SentinelOne have identified the hackers as Lazarus, a well-known group known for attacking crypto entities like the Ronin Network and Harmony’s Horizon Bridge. 

Additionally, Tom Hegel of SentinelOne verified that the indications of compromise (IOCs) given by JumpCloud are “linked to a wide variety of activity we attribute to DPRK.”

He stated North Korea was responsible for the intrusion and speculated that the hackers might also be responsible for a recent social engineering effort that targeted GitHub users.

Mandiant incident responders also blamed North Korea for the breach. Also, the renowned Lazarus hacking group’s “Labyrinth Chollima,” a subgroup that was also connected to the recent supply-chain hacks on corporate phone manufacturer 3CX, has been blamed by CrowdStrike for the JumpCloud attack.

Specifics of the JumpCloud Breach

JumpCloud found a breach of its systems by a sophisticated nation-state-sponsored threat actor on June 27th due to a spear-phishing attempt.

JumpCloud quickly cycled credentials and rebuilt compromised infrastructure as a precaution, even though there was no immediate proof of a customer effect.

Later the reports say JumpCloud discovered “unusual activity in the commands framework for a small set of customers.” It also examined logs for indications of malicious activity and forced the rotation of all admin API keys while working with incident response partners and law enforcement.

JumpCloud gave information about the incident and revealed indications of compromise (IOCs) in an alert that was issued on July 12 to assist partners in securing their networks against assaults from the same group.

A North Korean APT group carried out the assault in June, JumpCloud has now confirmed.

According to Bob Phan, JumpCloud CISO, “Importantly, fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations that rely on the JumpCloud platform for a variety of identity, access, security, and management functions. All impacted customers have been notified directly”.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Google Unveils New Intelligent, Real-Time Protections for Android Users

Google has once again raised the bar for mobile security by introducing two new AI-powered…

6 minutes ago

Chinese National Faces 20 Years of Jail Time for Laundering Millions in Crypto

Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and a…

25 minutes ago

Google to Issue CVEs for Critical Cloud Vulnerabilities

Google Cloud has announced a significant step forward in its commitment to transparency and security…

2 hours ago

GitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community Edition…

3 hours ago

Windows 0-Day Exploited in Wild with Single Right Click

A newly discovered zero-day vulnerability, CVE-2024-43451, has been actively exploited in the wild, targeting Windows systems…

4 hours ago

Automating Identity and Access Management for Modern Enterprises

Keeping track of who has access and managing their permissions has gotten a lot more…

20 hours ago