JumpCloud, a US-based enterprise software firm known for its cloud directory platform, recently disclosed a security breach that was part of a highly targeted operation aimed at a select group of customers. The company’s Directory-as-a-Service® product is used by more than 100,000 organizations across the globe, offering a comprehensive array of identity features including user and system management, LDAP and SAML services, MFA, and more.

The breach was discovered on June 27, 2023, and was traced back to a spear-phishing campaign launched by the attackers on June 22, 2023. The attackers were identified as a sophisticated nation-state actor, although the specific state has not been disclosed.

The attackers gained unauthorized access to JumpCloud’s systems and initiated unusual activity in the commands framework for a small set of customers. This discovery was made on July 5, 2023, during an investigation into the attack and analysis of logs for signs of malicious activity. In response, JumpCloud force-rotated all admin API keys to protect its customers’ organizations and advised them to generate new keys.

The attack vector was identified as data injection into the commands framework. The company’s Chief Information Security Officer (CISO), Bob Phan, described the attackers as “sophisticated and persistent adversaries with advanced capabilities.” However, it’s important to note that this does not always imply a high level of skill or complexity in the attack. In many cases, breaches can be the result of relatively simple tactics, such as spear-phishing or exploiting known vulnerabilities, which can be successful due to lapses in security practices rather than the sophistication of the attack.

While not explicitly mentioned, the tactics, techniques, and procedures (TTPs) used in this attack likely involve “Phishing” (T1566) for initial access, and “Command and Scripting Interpreter” (T1059) for execution, as per the MITRE ATT&CK framework.

JumpCloud has not yet provided any information on the number of customers impacted by the attack. The company is continuing to enhance its security measures to protect its customers from future threats and is working closely with government and industry partners to share information related to this threat.

Indicators of Compromise (IoCs) released by JumpCloud:

IP addresses:

  • 51.254.24[.]19
  • 185.152.67[.]39
  • 70.39.103[.]3
  • 66.187.75[.]186
  • 104.223.86[.]8
  • 100.21.104[.]112
  • 23.95.182[.]5
  • 78.141.223[.]50
  • 116.202.251[.]38
  • 89.44.9[.]202
  • 192.185.5[.]189
  • 162.241.248[.]14
  • 179.43.151[.]196
  • 45.82.250[.]186
  • 162.19.3[.]23
  • 144.217.92[.]197
  • 23.29.115[.]171
  • 167.114.188[.]40
  • 91.234.199[.]179

Hashes:

  • SHA256: 9151ff77b65eeacd5cdddd13c041db3ad9818fd2aebe05d8745227fac7e516b8
  • SHA256: 4dc71b659c9277c7bb704392f8af5b6b2fbc9a66d3ad80d8cb4df0bd686f0e86

Please note that these IoCs should be used to add additional protection to your Endpoint Detection and Response (EDR) and perimeter security solutions. It is advised not to reach out to these IPs or URLs directly from your company’s infrastructure.

This incident serves as a reminder of the advanced capabilities of state-backed actors and the importance of robust security measures, particularly in relation to spear-phishing attacks and command framework security.

Sources:

  1. Bleeping Computer
  2. Arstechnica
  3. The Hacker News
  4. TechTarget
  5. JumpCloud IoCs