The US enterprise software company, JumpCloud, announced its IT systems had been compromised by a “sophisticated nation-state sponsored threat actor,” linking the cyberattack to a North Korean hacking group.
The spear-phishing campaign was traced back to late June and has reportedly affected several Jumpcloud’s clients, the company said in a blog post.
Cybersecurity firm CrowdStrike, which is assisting JumpCloud, linked the black-hat hackers to Labyrinth Chollima, considered to be part of the infamous North Korean Lazarus group.
JumpCloud stated in a blog post that customers had been informed and appropriate steps had been taken to eliminate the threat.
The software company initially responded to the discovery of “unusual activity” by performing what is known as a “force-rotation” of its admin Application Programming Interface (API) keys.
An API is a code that allows two software programs to interact, connecting a developer with an operating system or other application.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataJumpCloud’s API service allows organisations to “operate at scale by performing bulk operations across users, devices, and groups”.
Nick Rago, CTO at security platform Salt Security, told Verdict the incident highlights the fact that APIs have become a “ripe attack surface for cybercriminals”.
Rago explained access to an admin API key could enable the hacking group to compromise the administration and configuration of key directory and identity services.
Potentially impacting important services including single sign-on SSO, multi-factor authentication, password management and device management.
“Understandably, JumpCloud did not release the names of the specific customers the threat actor targeted and impacted, or the suspected motivation behind the attack,” Rago said.
Adding: “However, Lazarus has a history of targeting crypto related organizations or entities. If the attack was financially motivated, the threat actor could have been targeting specific JumpCloud customers that were crypto or finance related to help fund nation-state initiatives.”
Rago explained that the breach reinforces how important run-time behavioral anomaly detection is to a good security strategy.
“Authorisation credentials alone are not enough to protect against these types of attacks,” Rago said.
“Organisations should look to leverage security defences that leverage (artificial intelligence) AI and (machine learning) ML modelling to baseline typical behaviour and detect even the most subtle malicious anomalies,” he added.