A state-sponsored phishing attack on JumpCloud highlights the importance of strong third-party risk management (TPRM). The big identity service provider believes it was a victim of a sophisticated breach that targeted a few specific customers.
JumpCloud is being praised for doing all the right things. In this week’s Secure Software Blogwatch, we wonder what we can learn.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Vulcan food contradictions.
[ See Webinar: Innovating third-party security risk monitoring and management ]
It’s TPRM time
What’s the craic? Rory Bathgate reports — “JumpCloud reveals nation-state hackers breached internal systems”:
“Specifically targeted”
Identity and access management firm JumpCloud has revealed its recent ‘security incident’ was an attack by a state-sponsored threat actor … which it linked to a spear phishing attack. … Affected customers are also believed to have been specifically targeted by the threat actor.
When did this happen? Sergiu Gatlan clarifies the timeline — “JumpCloud discloses breach”:
“Force-rotates all admin API keys”
JumpCloud … discovered the incident on June 27, one week after the attackers breached its systems. … On July 5, JumpCloud … force-rotates all admin API keys to protect customer organizations. … JumpCloud has yet to provide any information on the number of customers impacted by the attack and hasn't linked the APT group behind the breach with a specific state.
What else do we know about the perps? Not a lot, says Carly Page — “JumpCloud says nation-state hackers breached its systems”:
“Remains unknown”
JumpCloud … hasn’t said how it determined nation-state hackers were behind the intrusion … but said the threat actor is “sophisticated … with advanced capabilities.” [It] hasn’t named the state-backed group. [And it] hasn’t responded to a request for comment.
…
The exact number of affected customers, and the types of organizations targeted, remains unknown. [It] provides its software to more than 180,000 organizations and counts more than 5,000 paying customers [including] Cars.com, GoFundMe, Grab, ClassPass, Uplight, Beyond Finance and Foursquare.
How did it go down, from a customer PoV? fastest963 sounds happy enough:
We have recently switched to JumpCloud and have been very happy. The biggest selling point for us has been their ability to support Mac, Windows, and Linux with a single pane of glass.
…
They've been very transparent. They automatically rotated API keys, which I presume was how the attackers were accessing the platform, and recommended rotating all SSO certs. Having a vulnerability that led to command runner access is not a great look but they've handled the aftermath very well.
Here’s a more nuanced reaction from ctilsie242:
JumpCloud provides a lot of authentication for a lot of companies. Because of this, it is assumed that they are going to be hit by nation states, and they are going to need to prepare for that.
…
None of this is rocket science. … A nation-state is going to hack an AAA provider, just like people will be trying to break into Fort Knox — because that is where the gold is stored
…
Security needs to be done right. At least props to JumpCloud for catching the breach and being open about it.
And bsplosion agrees:
Their response to this penetration seems to be the responsible, correct approach. … Any vendor in this space is going to have a massive target on their back. And it seems like they were keenly aware of this and had robust response measures in place, along with plenty of auditable traces everywhere that allowed for a quick identification of targeted customers.
I never like one of my vendors getting breached, but this is almost an ideal response (at least based on what we know) and it won't negatively affect my opinion of their services.
But why this “nation state” theory? twisteddk does the math:
I would guess JumpCloud rotated their keys because they found out the keys were compromised. And unless JumpCloud stores their private key where a hacker can get to it, they probably assume "nation state" because they believe one or more keys has been brute forced. But … we are probably not hearing all of the story, and we might never hear all of it.
Meanwhile, with a more cynical view, here’s CTG:
At this point I'm so jaded that whenever I read that it was a "sophisticated, nation-state" hack, I immediately think that Marketing wrote the press release to save face, and that it was the most basic, "Enter your Microsoft credentials," phish possible.
As has terrorubic:
“Cloud-based security breach” … Translation: Someone opening an MS-Word email attachment.
And Finally:
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Guillermo Gavilla (via Pixabay; leveled and cropped)
