Software Firm JumpCloud Attacked by Nation-State ActorsCompany Says Hacker Gained Access, Performed Data Injection
Enterprise software firm JumpCloud said a sophisticated nation-state threat actor is behind a security incident that targeted some of its customers last week.
The company, which operates a zero trust directory platform that authenticates, authorizes and manages users, devices and applications, reset all of its API keys, potentially affecting thousands of customers including Cars.com and GoFundMe.
Nick Rago, field CTO at Salt Security, said the API key reset could affect operations, management and administration of single sign-on, MFA, password management, device management and more related to the JumpCloud platform.
"Because thousands of organizations rely on this platform for the management of these critical services, the customer impact is severe," Rago said.
Traced to Spear-Phishing Campaign
The unnamed nation-state actor gained unauthorized access to JumpCloud systems and targeted a small and specific set of its customers on June 27, the company said.
"We discovered anomalous activity on an internal orchestration system, which we traced back to a sophisticated spear-phishing campaign perpetrated by the threat actor on June 22, said Bob Phan, chief information security officer at JumpCloud. "That activity included unauthorized access to a specific area of our infrastructure."
JumpCloud discovered unusual activity in its commands framework for a small set of customers on July 5 and performed "a force-rotation of all admin API keys." JumpCloud said it has mitigated the attack vector for the hack, and it notified and worked with the affected customers. The firm also activated its incident response plan and informed law enforcement of its investigation and steps designed to make its systems and customers' operations secure.
"Out of an abundance of caution, we rotated credentials, rebuilt infrastructure and took a number of other actions to further secure our network and perimeter," the company said. "Continued analysis uncovered the attack vector: data injection into our commands framework. The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers."
Phan added that these sophisticated and persistent adversaries have advanced capabilities, so defenders need to share information and collaborate.
"We will continue to enhance our own security measures to protect our customers from future threats and will work closely with our government and industry partners to share information related to this threat," Phan said.
Once a threat actor gains access to an API key, they can compromise the administration and configuration of the key directory and identity services for an organization. Several companies depend on cloud-based service provider APIs to manage key critical infrastructure and business-driving services every day.
"This incident serves as a reminder that organizations should ask their cloud service providers for an option to lock down API access to their account from a limited whitelist of locations to limit any risk of an adversary causing harm if they accessed a privileged API key," Rago said.
JumpCloud has a global user base of more than 200,000 organizations and has more than 5,000 paying customers including Cars.com, GoFundMe, Grab, ClassPass, Uplight, Beyond Finance, and Foursquare. It raised over $400 million from world-class investors including Sapphire Ventures, General Atlantic, Sands Capital, Atlassian and CrowdStrike.
In April, JumpCloud announced it is partnering with Google Cloud on a new joint offering that enables businesses to combine Google Workspace with the open directory platform provided by JumpCloud to strengthen their security and how they manage hybrid workforces.