JumpCloud, an American commercial software company, has announced a data breach attributed to a spear phishing attack launched by a sophisticated nation-state-sponsored threat actor.
As a result, the threat actor (Nation-state) gained unauthorized access to JumpCloud systems to target a small and specific set of its customers.
Spear phishing is a type of phishing attack that targets a specific individual, organization, or business with a personalized email or message that looks authentic and comes from a trusted source.
JumpCloud’s cloud-based directory as a service platform is used to securely manage users’ identity, devices, and access across things such as VPN, Wi-Fi, Servers, and workstations.
A nation-state threat actor is a government-sponsored group that forcefully targets and gains illicit access to the networks of other governments or industry groups to steal, damage, and/or change information.
These types of attackers, in particular, go to extreme lengths to cover their tracks and make it difficult to trace their campaigns back to their country of origin. Often, they will plant “false flags” to mislead cyber investigators.
The goal of spear phishing is to get the target to reveal private information, download malware, or lose money.
On June 27 the organization discovered malicious activity in the internal system they accessed a specific area of the infrastructure but they did not find any evidence at that time about the impacts.
To avoid the potential danger, they took immediate measures to rebuild infrastructure and took a number of other actions to further secure our network and perimeter.
Also they combine with Incident Response (IR) partners to analyze the system, they also contacted law enforcement for investigation.
On July 5 at 3:35 UTC (Coordinated Universal Time) they found another unusual activity in commands frameworks.
At that time they have evidence of customer impacts so they worked with that impacted customers and help them with more security measures.
The organization decided to execute force-rotation of all admin API keys beginning on July 5 at 23:11 UTC.
They found that attackers inject the data into the command framework moreover they target only certain customers.
This incident made the organization learn to create and now share a list of IOCs (Indicators of Compromise) that we have observed for this campaign.