US-based enterprise software company JumpCloud was breached by hackers from North Korea's Lazarus Group. According to security researchers at SentinelOne

According to security researchers at SentinelOne, CrowdStrike and Mandiant, US-based enterprise software company JumpCloud was breached by hackers from North Korea's Lazarus Group.

In a report published Thursday (20th July 2023), Sentinel One senior threat researcher Tom Hagel linked the North Korean threat group to the JumpCloud hack based on multiple indicators of compromise the company shared in a recent incident report.

"Reviewing the newly released compromise indicators, we associate a cluster of threat activities to North Korean state-sponsored APT," Hegel said.

"The IOCs are connected to a wide variety of activities that we attribute to the DPRK, centered on the supply chain targeting approach seen in previous campaigns."

Cybersecurity firm Crowdstrike officially tagged Labyrinth Chollima (which overlapped with the activities of Lazarus Group, ZINC and Black Artemis) based on evidence obtained while investigating the attack in collaboration with JumpCloud.

"One of their primary goals is to generate revenue for the regime. I don't think this is the last we'll see of North Korean supply chain attacks this year," Adam Meyers, vice president of CrowdStrike Intelligence, told Reuters.

Mandiant also pinned the attack on a North Korean threat actor known for targeting cryptocurrency firms.

"Mandiant anticipates with high confidence that this is a cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau (RGB), targeting companies in the cryptocurrency vertical to obtain evidence and intelligence data," said Austin Larsenum, senior incident response consultant.

"This is a financially motivated threat actor, we've seen increasingly target the cryptocurrency industry and various blockchain platforms."

Larsen said the attackers had already hit a downstream victim after breaching JumpCloud, suggesting that there are currently other victims involved in the fallout from the Mandiant attack.

💜 JumpCloud Intrusion | Attacker Infrastructure Links Compromise to North Korean APT Activity

I took a look into the IOCs shared by @JumpCloud and found links to APT Infrastructure we attribute to DPRK.

Quick 🧵..https://t.co/VF8NieKcLl #threatintel

— Tom Hegel (@TomHegel) July 20, 2023

The hacking group has been active for at least a decade since 2009 and is known for attacks on high-profile targets around the world, including banks, government agencies and media organizations.

The FBI linked the Lazarus Group attackers to the breach of Axie Infinity's Ronin Network Bridge, the largest cryptocurrency hack ever, which allowed a record $620 million in Ethereum to be stolen.

In April, Mandiant said another North Korean threat group tracked as UNC4736 was behind the cascading supply chain attack that hit VoIP firm 3CX in March. UNC4736 is related to the Lazarus group behind Operation AppleJeus, which was connected via Google TAG to the compromise of Trading Technologies website, 3CX developer.

JumpCloud confirms hack by APT group

On June 27, JumpCloud discovered that "a sophisticated nation-state sponsored threat actor" had breached its systems through a spear-phishing attack. Although there was no immediate evidence of customer impact, JumpCloud proactively turned over credentials and rebuilt the compromised infrastructure as a precautionary measure.

During the investigation, on July 5, JumpCloud identified "unusual activity within the framework of commands for a few customers." Collaborating with incident response partners and law enforcement, it analyzed logs for signs of malicious activity and forcibly rotated all administrative API keys.

In an advisory published on July 12th, JumpCloud shared details of the incident and released indicators of compromise (IOCs) to help partners secure their networks against attacks from the same group.

As of now, JumpCloud has not disclosed the number of customers affected by the attack and has not attributed the APT group behind the breach to a specific state.

In January, the company also revealed that it was looking into the impact of the CircleCI security incident on its users.

Headquartered in Louisville, Colorado, JumpCloud operates a directory-as-a-service platform that provides single sign-on and multi-factor authentication services to more than 180,000 organizations in more than 160 countries..

-- Bleepingcomputer