JumpCloud, an IT Firm Serving 200,000 Orgs, Says It Was Hacked By Nation-State (arstechnica.com) 28
An anonymous reader quotes a report from Ars Technica: JumpCloud, a cloud-based IT management service that lists Cars.com, GoFundMe, and Foursquare among its 5,000 paying customers, experienced a security breach carried out by hackers working for a nation-state, the company said last week. The attack began on June 22 as a spear-phishing campaign, the company revealed last Wednesday. As part of that incident, JumpCloud said, the "sophisticated nation-state sponsored threat actor" gained access to an unspecified part of the JumpCloud internal network. Although investigators at the time found no evidence any customers were affected, the company said it rotated account credentials, rebuilt its systems, and took other defensive measures.
On July 5, investigators discovered the breach involved "unusual activity in the commands framework for a small set of customers." In response, the company's security team performed a forced-rotation of all admin API keys and notified affected customers. As investigators continued their analysis, they found that the breach also involved a "data injection into the commands framework," which the disclosure described as the "attack vector." The disclosure didn't explain the connection between the data injection and the access gained by the spear-phishing attack on June 22. Ars asked JumpCloud PR for details, and employees responded by sending the same disclosure post that omits such details. Investigators also found that the attack was extremely targeted and limited to specific customers, which the company didn't name.
JumpCloud says on its website that it has a global user base of more than 200,000 organizations, with more than 5,000 paying customers. They include Cars.com, GoFundMe, Grab, ClassPass, Uplight, Beyond Finance, and Foursquare. JumpCloud has raised over $400 million from investors, including Sapphire Ventures, General Atlantic, Sands Capital, Atlassian, and CrowdStrike. The company has also published a list of IP addresses, domain names, and cryptographic hashes used by the attacker that other organizations can use to indicate if they were targeted by the same attackers. JumpCloud has yet to name the country of origin or other details about the threat group responsible.
On July 5, investigators discovered the breach involved "unusual activity in the commands framework for a small set of customers." In response, the company's security team performed a forced-rotation of all admin API keys and notified affected customers. As investigators continued their analysis, they found that the breach also involved a "data injection into the commands framework," which the disclosure described as the "attack vector." The disclosure didn't explain the connection between the data injection and the access gained by the spear-phishing attack on June 22. Ars asked JumpCloud PR for details, and employees responded by sending the same disclosure post that omits such details. Investigators also found that the attack was extremely targeted and limited to specific customers, which the company didn't name.
JumpCloud says on its website that it has a global user base of more than 200,000 organizations, with more than 5,000 paying customers. They include Cars.com, GoFundMe, Grab, ClassPass, Uplight, Beyond Finance, and Foursquare. JumpCloud has raised over $400 million from investors, including Sapphire Ventures, General Atlantic, Sands Capital, Atlassian, and CrowdStrike. The company has also published a list of IP addresses, domain names, and cryptographic hashes used by the attacker that other organizations can use to indicate if they were targeted by the same attackers. JumpCloud has yet to name the country of origin or other details about the threat group responsible.
Please name the guilty nation (Score:3)
It does not help anyone to not identify who is doing the attacking.
Re:Please name the guilty nation (Score:4, Funny)
It was the Vatican.
Re: Please name the guilty nation (Score:2)
Re: (Score:2)
Re: (Score:1)
It does not help anyone to not identify who is doing the attacking.
JumpCloud/guests shadow.... Nah I'm messing with you I have no idea.
Re:Please name the guilty nation (Score:5, Interesting)
No hacker in his right mind would execute the end point attack from his personal workstation. This is done remotely, or through bot networks controlled by the hacker. So even with the domains and IPs where the attack originated, that is just a transit point, making it very difficult to identify the hacker, or his country of origin by these means.
When people say "nation state" it is because there are some types of attacks that is believed requires sophisticated resources. Presumably some of these resources were detected used in the attack.
However, without knowing the exact customer that was the point of the attack, it will be pure conjecture to guess at a source. But given the fairly low number of governments willing to engage in this type of hybrid warfare, a safe guess would be one of those.
Re: (Score:2)
> Presumably some of these resources were detected used in the attack.
A place where attribution can come from.
Re: (Score:3)
Being "attacked by nation-state actors" should be viewed with the same level of skeptic
Re: (Score:2)
Likely it was a 13yr old kid, but that would be too embarrassing to admit so they try to place the blame on a nameless country instead.
Considering (Score:2)
I remember we were considering going with JumpCloud. What a Cluster-Mistake that would have been, lol. Why do they believe it's a nation-state? None of their employees can fall for non-nation-state spear-phishing attacks? Also, doesn't this put an EXTREMELY large target on your back to be "the company that other companies build their organization trust on"? You'd think they would have been better trained/better prepared for such threats.
I smell BS (Score:3)
How do they know it was "a sophisticated nation-state sponsored threat actor" other than "it must gave been because no ordinary hackers could have done it"?
In particular it's their saying they rotated keys or whatever "out of abudance of caution" after the first "sophisticated" phishing that makes me think they just got hacked like everyone else but don't want to own it.
Re: (Score:3)
I would guess jumpcloud rotated their keys because they found out the keys were compromised. And unless jumpcloud stores their private key where a hacker can get to it, they probably assume "nation state" because they believe one or more keys has been brute forced.
I'm not saying thats the case, or that any random hacker can't have access to a distributed network capable of brute forcing whatever encryption jumpcloud used. But until we know who was the target of the original attack, that would be my guess as
Re: (Score:3)
Well, we are certainly not hearing all of the story. The question is "Why?". My guess is that while the believe that the attack required (support from) a nation state to happen, there isn't definitive evidence as to *which* nation state.
And, of course, it's also true that things that someone believes requires the support of a nation state may not actually require that.
Re: (Score:2)
Probably, they've been working with suitable LEO and other TLAs as part of the incident response. A lot of times there's repeated IOCs that can be correlated with other information (like who else has recently been hacked and what data was pilfered) to put some pretty good probabilities together on the "who" and the "why".
Of course, it's all just probabilities unless the bad guys really F'd up in their operation. So...victims can't name names out loud and have to stick with the same tired generalities.
Cloud-based security breach :o (Score:3)
“sophisticated nation-state sponsored threat actor”
“unusual activity in the commands framework for a small set of customers.”
Translation: Someone opening a msWord email attachment
1 in 40 pay for unicorn farts (Score:2)
"it has a global user base of more than 200,000 organizations, with more than 5,000 paying customers"
1 in 40 customers pay. That doesn't sound like a decent value prop. for the 5000. ... blah blah blah, ... nation state ... rotate API keys ... usual wankery ... jolly sophisticated ... your data is important to us ... free credit scoring or something for all directors of the company. Soz, lol, weez so edgy ... Texan two step liability divestment ... fuck you!
Dreadfully sorry: Nurse, NUUUURSE my dried frog
Bummer, not enough internal zero-trust (Score:1)
The concept of having the source code for your product on your laptop so you can do local builds seems so quaint now.
Nah, it's probably just the ops people.
Really? an IT management service (Score:2)
Re: Really? an IT management service (Score:2)
Isn't this part of their job? (Score:4, Interesting)
JumpCloud provides a lot of authentication for a lot of companies. Because of this, it is assumed that they are going to be hit by nation states, and they are going to need to prepare for that. None of this is rocket science. You can pick up a MPA guide [motionpictures.org] which does an excellent job of going through and listing best practices. One can also use STIGs as a starting place.
None of this is rocket science, and it is going to be assumed that a nation-state is going to hack an AAA provider, just like people will be trying to break into Fort Knox because that is where the gold is stored. This is part of the job, and if a company wants to handle being the security broker for their clients, they are going to have to invest in countermeasures against nation-states, including constant red-teaming and pen-testing by internal and good contractors.
I'm sure Amazon and Microsoft also get targeted by nation-states. They don't gripe about it, as it is a cost of doing business.
Another item to help with spear-phishing: Consider YubiKeys or FIDO tokens. Google [yubico.com] did this, and even though the graph is a few years old, it greatly helped with security.
Security needs to be done right. At least props to Jumpcloud for catching the breach and being open about it.
re: Isn't this part of their job? (Score:2)
JumpCloud provides a lot of authentication for a lot of companies. Because of this, it is assumed that they are going to be hit by nation states, and they are going to need to prepare for that. None of this is rocket science.
This kind of arrogant bullshit aggravates the hell out of me. You think it's simple to protect again state-sponsored hackers? You think all you need to do is follow some "Best Practices" guide? Think again.
As an Administrator, you can follow every best practice, and patch 1,000 vulnerabilities, and it only takes one exploit to knock you over.
Let's consider just one best practice - the timely install of security patches. Do you know what happens when Microsoft releases a security patch? Assume it's for a new
They host GoFundMe? Hope there's damage (Score:1)
GFM has been hosting the "cagnote de la honte" [duckduckgo.com] completely against their own policies, so fuck them.
Comparison
- during the "yellow vests / jackets" protest, Christophe Dettinger [duckduckgo.com] took the defense of a woman who was being beaten on the ground by a cop. He did this bare hand, using his experience of former boxer, against a fully armored robocop (with no brain this one). This was very pleasing
Re: (Score:2)
Things have changed since 1789. As many others, we are internet drug addicts, very good for revolution through keyboard. But that's not going very far.
And those who have the guns, or weapons, now are the police and the hunters, both fascists and on ma€ron's side. Wait, I forgot to count those who are not policemen nor hunters, but are just fascists.
By the way, what's authorizing you to call UN Blue Helmets homo