US-based enterprise software program firm JumpCloud was breached by North Korean Lazarus Group hackers, in keeping with safety researchers at SentinelOne and CrowdStrike.
In a report printed on Thursday, SentinelOne Senior Menace Researcher Tom Hegel linked the North Korean menace group to the JumpCloud hack primarily based on a number of indicators of compromise shared by the corporate in a current incident report.
“Reviewing the newly launched indicators of compromise, we affiliate the cluster of menace exercise to a North Korean state sponsored APT,” mentioned Hegel.
“The IOCs are linked to all kinds of exercise we attribute to DPRK, general centric to the provision chain focusing on method seen in earlier campaigns.”
Cybersecurity agency CrowdStrike additionally formally tagged Labyrinth Chollima (whose exercise overlaps with that of Lazarus Group, ZINC, and Black Artemis) as the actual North Korean hacking squad behind the breach primarily based on proof discovered whereas investigating the assault in collaboration with JumpCloud.
“One in all their major aims has been producing income for the regime. I do not suppose that is the final we’ll see of North Korean provide chain assaults this yr,” CrowdStrike Vice President for Intelligence Adam Meyers instructed Reuters.
This hacking group has been lively for over a decade, since no less than 2009, and is understood for assaults in opposition to high-profile targets worldwide, together with banks, authorities businesses, and media organizations.
The FBI additionally linked Lazarus Group attackers to the breach of Axie Infinity’s Ronin community bridge, the most important cryptocurrency hack ever, which allowed them to steal a record-breaking $620 million in Ethereum.
In September 2019, the U.S. Treasury Division sanctioned three North Korean hacking teams (Lazarus, Bluenoroff, and Andariel).
The U.S. authorities additionally affords a $5 million reward for tips about the DPRK hackers’ exercise which might assist determine or find them.
On June twenty seventh, JumpCloud found an incident the place “a classy nation-state sponsored menace actor” breached its methods by a spear-phishing assault. Though there was no fast proof of buyer impression, JumpCloud proactively rotated credentials and rebuilt compromised infrastructure as a precautionary measure.
Through the investigation, on July fifth, JumpCloud detected “uncommon exercise within the instructions framework for a small set of consumers.” Collaborating with incident response companions and legislation enforcement, it additionally analyzed logs for indicators of malicious exercise and force-rotated all admin API keys.
In an advisory printed on July twelfth, JumpCloud shared particulars of the incident and launched indicators of compromise (IOCs) to assist companions safe their networks in opposition to assaults from the identical group.
As of now, JumpCloud has not disclosed the variety of clients impacted by the assault and has not attributed the APT group behind the breach to a selected state.
In January, the corporate additionally disclosed that it was investigating the impression of a CircleCI safety incident on its clients.
Headquartered in Louisville, Colorado, JumpCloud operates a directory-as-a-service platform offering single sign-on and multi-factor authentication providers to over 180,000 organizations throughout greater than 160 international locations.