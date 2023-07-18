Just over a week after JumpCloud has reset the API keys of customers affected by a security incident, the company has declared that the intrusion is the work of some militant working for some unidentified foreign country.

First of all, what is JumpCloud

Jump Cloud is a US company that provides cloud-based identity and access management infrastructure for enterprises. Their platform offers centralized authentication and authorization services, allowing enterprises to securely manage user access to a variety of resources, such as devices, applications, servers and networks.

JumpCloud allows enterprises to simplify the management of user identities and passwords through a single cloud-based administration console. Administrators can easily assign and revoke user permissions, control access to various services, and monitor user activity within the organization.

Additionally, JumpCloud offers advanced security features, such as multi-factor authentication, digital certificate management, and asset protection using granular access policies. The platform is designed to be compatible with a wide range of operating systems, applications and services, allowing enterprises to easily integrate JumpCloud into their existing infrastructure.

It is a site similar to LastPass, which we had seen in a previous article, in short.

So what happened on JumpCloud, then

The hacker”gained unauthorized access to our systems to target a specific, small set of our customers“, has declared Bob Phan, Chief Information Security Officer (CISO) at JumpCloud, in a postmortem report. “The attack vector used by the attacker has been stopped“.

The US enterprise software firm said it identified anomalous activity on June 27, 2023 on an internal orchestration system, which it traced back to a spear-phishing campaign mounted by the attacker on June 22.

While JumpCloud has taken steps to protect its network by rotating credentials and rebuilding its systems, it wasn’t until July 5 that it detected “unusual activity” in the command framework for a small group of customers, which resulted in a forced rotation of all admin API keys. The number of customers affected was not disclosed.

Further analysis of the breach, according to the company’s disclosure, uncovered the attack vector, which it described as “a data injection into the command framework.” It was also claimed that the attacks were highly targeted.

However, JumpCloud did not explain how the phishing attack it found in June is related to data injection. It is currently unclear whether the phishing emails led to the installation of malware which facilitated the attack.

Additional indicators of compromise (IoC) associated with the attack show that the adversary exploited domains named nomadpkg[.]com and nomadpkgs[.]com, probably referring to the based on some “works” based on the Go (or Golang by Google) programming language used to deploy and manage repositories.

“These are opponents [che usano metodi] sophisticated and persistent with advanced skillsPhan said. JumpCloud has yet to reveal the name and origin of the group allegedly responsible for the crash.

In conclusion

It is very curious how even data protection-minded companies can find themselves affected by some bad actors.

This platform is not popular in our country, in case if you use it, obvious to say that it is always better to change the access password on the credentials