Identity and access management solutions provider JumpCloud has revealed on July 12, 2023, that it was the target of a security breach caused by a sophisticated nation-state-sponsored threat actor.
The breach first came to light on June 27 when anomalous activity was detected on an internal orchestration system. The investigation traced the incident back to a spear-phishing campaign initiated by the threat actor on June 22, which resulted in unauthorized access to a specific section of JumpCloud's infrastructure.
"With automated tools, we see a significant decrease in dwell time which allows organizations to minimize the exposure and potential damage resulting from a breach," explained Dror Liwer, co-founder of cybersecurity company Coro.
"The race to identify, contain, and remediate a rolling breach is exacerbated by the attackers [...] using automated tools and AI to camouflage their entry point and lateral movement within the impacted platforms."
While no evidence of customer impact was found then, JumpCloud proactively bolstered its security measures by rotating credentials, rebuilding infrastructure and fortifying its network and perimeter.
The situation escalated on July 5 when unusual activity was discovered in the commands framework for a small group of customers, indicating that customer data had been compromised. In response, JumpCloud force-rotated all admin API keys and notified affected customers immediately.
Read more on this activity: Ongoing Incident Prompts JumpCloud to Reset API Keys
"Even technically advanced organizations, and those familiar with working in software, can still be victimized by something as simple as phishing if they're not careful," commented Erich Kron, security awareness advocate at KnowBe4.
"Organizations of any size, and in any industry, should ensure they are using a high-quality and well-implemented employee, education and training program to ensure their employees are learning, better security hygiene and behaviors."
After a forensic investigation conducted with incident response partners and law enforcement, the attack vector was identified as data injection into the commands framework. JumpCloud emphasized that the breach was highly targeted and limited to specific customers.
To foster a collective defense against such advanced threats, the company has also made public a list of indicators of compromise (IoCs) observed during the campaign.
"These are sophisticated and persistent adversaries with advanced capabilities," the company wrote.
"Our strongest line of defense is through information sharing and collaboration. That's why it was important to us to share the details of this incident and help our partners to secure their own environments against this threat."