Just over a week subsequent to JumpCloud initiating a reset of API keys for customers affected by a security breach, the firm has attributed the intrusion to the activities of a sophisticated nation-state attacker.
According to Bob Phan, the Chief Information Security Officer (CISO) at JumpCloud, the threat actor “gained unauthorized entry to our systems with the specific aim of targeting a small subset of our customers,” as revealed in a post-mortem analysis. “The attack vector employed by the threat actor has been effectively mitigated.”
The U.S.-based enterprise software company disclosed it detected unusual activity on June 27, 2023, on an internal orchestration system. This was traced back to a spear-phishing campaign launched by the attacker on June 22.
Despite implementing security measures such as rotating credentials and rebuilding its systems to protect its network, JumpCloud only noticed “unusual activity” within the commands framework for a small subset of customers on July 5, leading to a mandatory rotation of all admin API keys. The total number of customers affected remains undisclosed.
The company’s subsequent investigation of the breach revealed the attack vector to be a “data injection into the commands framework.” The attacks were also described as being highly targeted.
However, JumpCloud has not provided clarity on the link between the phishing attack detected in June and the data injection. The extent to which the phishing emails might have led to the deployment of malware facilitating the attack remains uncertain.
Additional indicators of compromise (IoCs) linked to the attack reveal that the attacker used domains named nomadpkg[.]com and nomadpkgs[.]com, likely referencing the Go-based workload orchestrator used for container deployment and management.
“These adversaries are sophisticated, persistent, and possess advanced capabilities,” remarked Phan. The identity and origins of the group allegedly responsible for the incident have yet to be disclosed by JumpCloud.