JumpCloud Breach Traced Back to North Korean State Hackers
Cyber Security Threat Summary:
“US-based enterprise software company JumpCloud was breached by North Korean Lazarus Group hackers, according to security researchers at SentinelOne and CrowdStrike. In a report published on Thursday, SentinelOne Senior Threat Researcher Tom Hegel linked the North Korean threat group to the JumpCloud hack based on multiple indicators of compromise shared by the company in a recent incident report” (Bleeping Computer, 2023). Sentinel One was able to associate these latest indicators of compromise to a cluster of threat activity previously attributed to the North Korean state sponsored APT group.
CrowdStrike, who tracks the group as Labyrinth Chollima, has also attributed the activity to these threat actors based on their investigation and collaboration with JumpCloud. According to CrowdStrike, "One of their primary objectives has been generating revenue for the regime. I don't think this is the last we'll see of North Korean supply chain attacks this year,"
The Lazarus Group has been active since around 2009, the have carried out various campaigns worldwide against banks, government agencies, and media organizations. A notable attack was against Sony, in retaliation for a comedy movie it released mocking North Korea’s leader. Additionally, the FBI linked Lazarus Group attackers to the breach of Axie Infinity's Ronin network bridge, the largest cryptocurrency hack ever, which allowed them to steal a record-breaking $620 million in Ethereum. “In April, Mandiant said that another North Korean threat group tracked as UNC4736 was behind the cascading supply chain attack that hit VoIP firm 3CX in March. UNC4736 is related to the Lazarus Group behind Operation AppleJeus, which was connected by Google TAG to the compromise of Trading Technologies' website, the 3CX developer” (Bleeping Computer, 2023).
Security Officer Comments:
In June of this year, JumpCloud discovered a sophisticated nation-state group had accessed it systems via a spear-phishing attack. JumpCloud was forced to rotate credentials and rebuild it’s compromised infrastructure as a precautionary measure. As the company continued their investigation, they noticed in July that there was unusual activity in the command framework for a small set of customers. Working with incident response partners and law enforcement, the company analyzed logs for signs of malicious activity, and force-rotated all admin API keys.
In an advisory published on July 12th, JumpCloud shared details of the incident and released indicators of compromise (IOCs) to help partners secure their networks against attacks from the same group. As of now, JumpCloud has not disclosed the number of customers impacted by the attack and has not attributed the APT group behind the breach to a specific state.
Link(s):
https://www.bleepingcomputer.com/