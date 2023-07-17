



A week after issuing a mandatory API key rotation in response to an unspecified incident, cloud provider JumpCloud has revealed that its network has been hacked by a nation-state threat actor. In a blog post last week, JumpCloud CISO Robert Phan said the company initially detected “abnormal activity on an internal orchestration system” on June 27. An investigation traced the activity back to a “sophisticated” spear-phishing campaign on June 22 and found that the malicious actor gained access to a specific but unnamed area of ​​JumpCloud’s infrastructure. Phan said at that time the company had seen no evidence of impact on customers. “Out of an abundance of caution, we have rotated credentials, rebuilt infrastructure, and taken a number of other steps to further secure our network and perimeter. Additionally, we have activated our prepared incident response plan and worked with our Incident Response (IR) partner to scan all systems and logs for potential activity,” Phan said in the blog post. JumpCloud has also contacted and engaged law enforcement as part of its IR plan. Phan said on July 5, the investigation found “unusual order activity for a small group of customers.” As a result, JumpCloud invalidated all API keys for customer administrators and immediately notified customers of the mandatory rotation. “Continued analysis revealed the attack vector: data injection into our order framework. The analysis also confirmed suspicions that the attack was highly targeted and limited to specific customers,” Phan said. . The blog post did not specify what kind of customers were being targeted or how those customers were directly affected by the threat cluster. While Phan said the breach was the work of “a sophisticated nation-state-sponsored threat actor,” JumpCloud did not attribute the attack to any specific country. It’s unclear why JumpCloud’s July 5 advisory didn’t state that a network breach had been confirmed and only referred to an “ongoing incident” with no information about spear’s campaign. phishing. TechTarget Editorial contacted JumpCloud, but the company declined to comment further. A company spokesperson instead provided the following statement: JumpCloud recently experienced a cybersecurity incident that affected a specific small group of our customers. Upon detection of the incident, we immediately took action based on our incident response plan to mitigate the threat, secure our network and perimeter, communicate with our customers, and engage law enforcement. As always, our entire JumpCloud team remains vigilant against new and emerging threats, and we are confident in our robust security controls and staff. We continue to work with our customers and are committed to sharing information about this incident with government agencies and industry professionals. We value our continued partnerships with all of our customers. Rob Wright is a longtime tech journalist who lives in the Boston area.

Sources 1/ https://Google.com/ 2/ https://www.techtarget.com/searchsecurity/news/366544972/JumpCloud-breached-by-nation-state-threat-actor

