JumpCloud was hit by North Korean hackers looking to steal crypto

Representational image depecting cybersecurity protection

(Image credit: Shutterstock)

American enterprise software firm JumpCloud has confirmed the data breach it recently suffered was dealt by the hands of the infamous Lazarus Group.

The North Korean state-sponsored actors managed to use the successful breach to target several JumpCloud clients but according to the firm, the attack was contained before any serious damage could be done.

The cloud storage firm had reported suffering a cyberattack at the hands of “a sophisticated nation-state sponsored threat actor”. The attacker, the company said, engaged in spear phishing, which gave it access to its endpoints. Even though JumpCloud did not immediately find any evidence of impact on customers, it refreshed important credentials and rebuilt compromised infrastructure.

Targeting customers

Further investigation uncovered that in early July 2023, there was “unusual activity in the commands framework for a small set of customers”. Soon afterwards, the company released more details about the incident from which cybersecurity researchers Mandiant identified the attackers as Lazarus. At the same time, researchers from both SentinelOne and CrowdStrike came to the same conclusion.

“We can also report that we identified and CrowdStrike confirmed the nation-state actor involved was North Korea. Importantly, fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations who rely on the JumpCloud platform for a variety of identity, access, security, and management functions. All impacted customers have been notified directly,” Bob Phan, JumpCloud CISO said in an announcement.

> FBI says North Korean Lazarus group was behind huge crypto theft

> Fake Crypto.com job offers targeting developers and artists to spread malware

> These are the best firewalls right now

Lazarus Group is a well-known threat actor working for the North Korean government. The group is usually after companies dealing with cryptocurrencies.

"Mandiant assesses with high confidence that this is a cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau (RGB), targeting companies with cryptocurrency verticals to obtain credentials and reconnaissance data," Senior Incident Response Consultant Austin Larsen told BleepingComputer.

"This is a financially motivated threat actor that we’ve seen increasingly target the cryptocurrency industry and various blockchain platforms."

Check out the best endpoint protection services

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.