Cyber Incident Victim: CloudSEK
Date:
Nov 2022
Location:
India
Summary
A cybersecurity firm experienced a breach when an employee's session cookies were stolen via Vidar Stealer malware installed during third-party laptop servicing, enabling unauthorized access to its Jira and Confluence systems. The attacker exfiltrated internal documents, training materials, screenshots of product dashboards, and names with purchase orders for three customers, later attempting to sell alleged network access and codebase on hacking forums. No databases, customer login credentials, or critical systems were compromised. The company attributed the incident to session cookie exploitation despite multi-factor authentication on the affected account and implicated another dark web monitoring cybersecurity entity based on attack patterns. Post-incident security enhancements were implemented, including revised access controls and vulnerability assessments of affected platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 21, 2022, a CloudSEK employee reported performance issues with their company-issued laptop. The following day, CloudSEK engaged third-party vendor Axiom to service the device, which was removed from company premises for repairs. Upon its return on November 24, the laptop contained a fresh Windows installation but was compromised with Vidar Stealer malware. This malware harvested session cookies and credentials from the employee's machine, uploading them to a dark web marketplace where an unidentified attacker purchased the logs the same day. The attacker exploited these stolen session cookies to gain unauthorized access to the employee's Jira account, bypassing multi-factor authentication protections on the email associated with the account. This initial breach enabled access to CloudSEK's Confluence server, where the threat actor searched for sensitive information using terms like "password" and exfiltrated internal documents between late November and early December 2022.
The attacker, operating under the alias 'sedut,' surfaced on multiple cybercrime forums on December 5-6, 2022, claiming broad access to CloudSEK's networks, including XVigil threat intelligence platform, codebase, email systems, Jira, and social media accounts. They leaked screenshots of internal Confluence pages showing product dashboards, ElasticDB and MySQL database schemas from training materials, usernames and passwords for forum-scraping accounts, and purchase orders with three customer names. 'Sedut' attempted to monetize the breach by offering CloudSEK's alleged database for $10,000 and codebase documentation for $8,000. CloudSEK's investigation confirmed the compromise was limited to Jira and Confluence artifacts, with no evidence of database, server, or customer credential access. Forensic analysis traced all leaked materials to pre-existing Jira tickets and Confluence training documents rather than live production systems. The company publicly disclosed the incident on December 1 through ongoing blog updates, citing session cookie theft as the primary attack vector and noting the threat actor's lack of established dark web reputation. CloudSEK leadership implicated an unnamed cybersecurity firm specializing in dark web monitoring, citing tactical similarities to historical attacks, though no conclusive attribution evidence was publicly provided. Internal security controls were revised following the breach, with particular attention to session management and third-party device handling protocols.