A little over a week after JumpCloud reset the API keys of a customer affected by the security incident, the company said the intrusion was the work of a sophisticated nation-state actor.
Adversaries “gained unauthorized access to our systems to target a small number of our specific customers,” Bob Phan, chief information security officer (CISO) at JumpCloud, said in the postmortem report. “Attack vectors used by threat actors have been reduced.”
The US enterprise software company said it had identified anomalous activity on June 27, 2023, on its internal orchestration system, which traced back to a spear-phishing campaign mounted by attackers on June 22.
While JumpCloud said it was taking security measures to protect its network by rotating its credentials and rebuilding its systems, it wasn’t until July 5 when it detected “unusual activity” in the command framework for a small group of customers, prompting a forced rotation of all admin API keys. The number of affected customers was not disclosed.
Further analysis of the breach, according to company disclosures, uncovered the attack vector, described as “data injection into the command framework.” It also said the attack was highly targeted.
However, JumpCloud did not explain how the phishing attacks seen in June were related to the data injection. It is currently unclear whether the phishing email led to the spread of the malware facilitating the attack.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
Additional compromise indicator (IoC) associated with the attack show that adversary’s leverage domains are named nomadpkg(.)com and nomadpkgs(.)com, possible references to Go-based workload orchestrator used to deploy and manage containers.
“This is a sophisticated and determined adversary with advanced capabilities,” said Phan. JumpCloud has not disclosed the name and origin of the group allegedly responsible for the incident.