Identity and access management firm JumpCloud has revealed its recent ‘security incident’ was an attack by a state-sponsored threat actor, which first accessed internal systems almost two weeks before customers were notified.
Affected customers are also believed to have been specifically targeted by the threat actor which JumpCloud said was “sophisticated… with advanced capabilities”.
The customers that were targeted during the attack have been receiving additional support from JumpCloud to shore up their cyber defenses.
JumpCloud stated that it has mitigated the vector used by the attacker, not revealing any further details related to it, and committed to sharing information related to the incident with industry partners and the US government.
It also released indicators of compromise (IoCs) for the attack, comprising malicious IPs and hashes, and urged firms to use the data for Endpoint Detection and Response (EDR).
“Our strongest line of defense is through information sharing and collaboration. That’s why it was important to us to share the details of this incident and help our partners to secure their own environments against this threat,” said Bob Phan, CISO at JumpCloud.
“We will continue to enhance our own security measures to protect our customers from future threats and will work closely with our government and industry partners to share information related to this threat.”
JumpCloud’s security incident: What happened?
On 5 July it was found that an attacker had accessed the commands framework for some JumpCloud customers via data injection.
Busting nine myths about file-based threats
Deciphering the assumptions and myths about file-based threats.
The discovery was made at 03:35 UTC, and at 23:11 UTC JumpCloud rotated all admin API keys. It notified customers that it had invalidated their API keys “out of an abundance of caution relating to an ongoing incident” without providing any further details.
The firm first discovered suspicious activity on an internal system on 27 June, which it linked spear phishing attack on 22 June, but JumpCloud stated that it saw no evidence of customer impact at that stage.
The company responded by rotating credentials, bringing in its incident response partner, contacting law enforcement, and securing infrastructure. It was through the resulting forensic investigation that the activity linked to customers was subsequently found.
"JumpCloud recently experienced a cyber security incident that impacted a small and specific set of our customers,” said a JumpCloud spokesperson at the time.
“Upon detecting the incident, we immediately took action based on our incident response plan to mitigate the threat, secure our network and perimeter, communicate with our customers, and engage law enforcement.
“As always, our entire JumpCloud team remains vigilant about new and emerging threats, and we are confident in our robust security controls and people. We continue to work with our customers and are committed to sharing information about this incident with government agencies and industry professionals. We appreciate our ongoing partnerships with all our customers."
@troyhunt this seems ominous from @JumpCloud pic.twitter.com/Pu0keIHqSKJuly 5, 2023
