Cyber Incident Victim: JumpCloud
Date:
Jun 2023
Location:
United States of America
Summary
A sophisticated nation-state threat actor, attributed to North Korea, compromised JumpCloud's systems via a spear-phishing campaign. The intrusion led to unauthorized access of its infrastructure and a data injection attack targeting the company's commands framework. This extremely targeted attack impacted a small set of customers, with fewer than five organizations and ten devices affected. The threat actor's access was eliminated after the company mitigated the attack vector, rotated credentials, and rebuilt infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 22, 2023, a sophisticated nation-state sponsored threat actor, later confirmed to be from North Korea, conducted a spear-phishing campaign against JumpCloud. This campaign successfully gained unauthorized access to the company's systems. JumpCloud’s security team first discovered anomalous activity on an internal orchestration system on June 27 at 15:13 UTC. The investigation into this activity traced its origin back to the June 22 spear-phishing incident. At the time of this initial detection, the unauthorized access was identified as being limited to a specific area of JumpCloud’s infrastructure, and there was no evidence of any impact on customers.
Upon discovering this anomalous activity, JumpCloud activated its prepared incident response plan. The company took immediate action out of an abundance of caution. These initial response measures included rotating credentials and rebuilding infrastructure. Additional steps were taken to further secure the company's network and perimeter. As a component of the incident response plan, JumpCloud engaged its incident response partner, CrowdStrike, and contacted and began working with US federal law enforcement agencies to assist with the investigation. The forensic investigation was continued by JumpCloud Security Operations in collaboration with these external partners.
The investigation continued without evidence of customer impact until July 5. On that date, at 03:35 UTC, JumpCloud discovered unusual activity within the commands framework for a small set of customers. This discovery provided the first confirmed evidence that the threat actor's activities had impacted customers. Upon confirming this impact, JumpCloud began working directly and closely with the affected customers to assist them with implementing additional security measures. Later that same day, on July 5 at 23:11 UTC, JumpCloud decided to perform a force-rotation of all administrator API keys. This action was taken to invalidate any potentially compromised credentials and was immediately communicated to the entire customer base. The reset of these API keys, which act as identifiers for authenticating application and user access to IT services, required all customers to update their third-party integrations with the newly established keys.
Continued forensic analysis of the incident uncovered the specific attack vector used by the threat actor to target customers. The method involved data injection into JumpCloud’s commands framework. The analysis also confirmed that the attack was extremely targeted and limited to a very specific set of customers. The investigation concluded that fewer than five JumpCloud customers were impacted, and across those customers, fewer than ten devices were affected in total. This impact was extremely limited relative to the full scale of the JumpCloud platform, which is used by more than 180,000 organizations across over 160 countries for multidirectory management, identity and access management, multifactor authentication, and single sign-on services.
All customers who were impacted by this incident were notified directly by JumpCloud. The company worked with these customers throughout the investigation and response process. The attack vector utilized by the threat actor was successfully mitigated by JumpCloud, eliminating the immediate threat. In an effort to promote transparency and assist the broader industry in defending against this threat, JumpCloud published a list of known Indicators of Compromise (IOCs) observed during the campaign. The company described the adversary as sophisticated and persistent, possessing advanced capabilities, and emphasized that information sharing and collaboration are a strongest line of defense against such threats.
JumpCloud stated that it remains committed to the highest security standards, rapid response and mitigation for customer safety, and open communication for the benefit of the industry. The company concluded its investigation and continues to work on enhancing its security measures to protect customers from future threats. It also continues to work closely with government and industry partners to share information related to this specific threat actor and their tactics, techniques, and procedures.