Software Firm JumpCloud Attacked by Nation-State Actors

Enterprise software firm JumpCloud said a sophisticated nation-state threat actor is behind a security incident that targeted some of its customers last week.

See Also: OnDemand | Understanding Human Behavior: Tackling Retail’s ATO & Fraud Prevention Challenge

The company, which operates a zero-trust directory platform that authenticates, authorizes and manages users, devices and applications, JumpCloud reset all of its API keys, potentially affecting thousands of customers including Cars.com and GoFundMe.

Nick Rago, field CTO at Salt Security, said the API key reset could affect operations, management and administration of single sign-on, MFA, password management, device management and more related to the Jumpcloud platform.

“Because thousands of organizations rely on this platform for the management of these critical services, the customer impact is severe,” Rago said.

The unnamed nation-state actor gained unauthorized access to Jumpcloud systems and targeted a small and specific set of its customers on June 27, the company said.

“We discovered anomalous activity on an internal orchestration system, which we traced back to a sophisticated spear-phishing campaign perpetrated by the threat actor on June 22, said Bob Phan, chief information security officer at JumpCloud. “That activity included unauthorized access to a specific area of our infrastructure,”

JumpCloud discovered unusual activity in its commands framework for a small set of customers on July 5 and performed “a force-rotation of all admin API keys.” JumpCloud said it has mitigated the attack vector for the hack, and it notified and worked with the impacted customers. The firm also activated its incident response plan and informed law enforcement on its investigation and steps designed to make its systems and customers’ operations secure.

“Out of an abundance of caution, we rotated credentials, rebuilt infrastructure and took a number of other actions to further secure our network and perimeter,” the company said. “Continued analysis uncovered the attack vector: data injection into our commands framework. The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers.”

Phan added that these sophisticated and persistent adversaries have advanced capabilities, so defenders need to share information and collaborate.

“We will continue to enhance our own security measures to protect our customers from future threats and will work closely with our government and industry partners to share information related to this threat,” Phan said.

Once a threat actor gains access to an API key, they can compromise the administration and configuration of key directory and identity services for an organization. Several companies depend on cloud-based service provider APIs to manage key critical infrastructure and business-driving services every day.

“This incident serves as a reminder that organizations should ask their cloud service providers for an option to lock down API access to their account from a limited whitelist of locations to limit any risk of an adversary causing harm if they accessed a privileged API key,” Rago said.

JumpCloud has a global user base of more than 200,000 organizations, with more than 5,000 paying customers including Cars.com, GoFundMe, Grab, ClassPass, Uplight, Beyond Finance, and Foursquare. It raised over $400M from world-class investors including Sapphire Ventures, General Atlantic, Sands Capital, Atlassian and CrowdStrike.

In April, JumpCloud announced it is partnering with Google Cloud on a new joint offering that enables businesses to combine Google Workspace with the open directory platform provided by JumpCloud to strengthen their security and how they manage hybrid workforces.