“The adversary gained unauthorized access to our systems to target a small and specific group of our customers,” Bob Fan, JumpCloud’s chief information security officer (CISO), said in a post-mortem report. “The attack vector used by the threat actor has been minimized.”
The US enterprise software firm said it identified unusual activity on an internal orchestration system on June 27, 2023, which was traced to a spear-phishing campaign run by the attacker on June 22.
While JumpCloud said it took security steps to protect its network by rotating credentials and rebuilding its systems, it did not do so until July 5 when it noticed “unusual activity” in the command framework for a small group of customers was detected, leading to forced-rotation. All admin API keys. The number of customers affected was not disclosed.
According to company disclosures, further analysis of the breach revealed the attack vector, which it described as “data injection into the command framework.” It also said that the attacks were highly targeted.
However, JumpCloud did not explain how the phishing attack seen in June is connected to the data injection. It is unclear at this time whether the phishing email led to the deployment of the malware that facilitated the attack.
Additional Indicators of Compromise (IoCs) associated with the attack show that the enemy took advantage of domains named nomadpkg[.]com and nomadpkgs[.]com, which are servers used to deploy and manage containers . Based workload is a possible reference to the orchestrator.
“These are sophisticated and persistent adversaries with advanced capabilities,” Phan said. JumpCloud has not yet disclosed the name and origin of the group allegedly responsible for the incident.
