JumpCloud, a software company providing a platform for organizations to manage users, devices, and access to IT resources, recently faced a security incident. The company has identified the incident as a state-sponsored attack targeting a small number of specific customers.
The attackers gained access to JumpCloud’s systems through a spear phishing campaign, leading to the company rotating all admin API keys as a precautionary measure.
Details of the Attack
The spear phishing campaign, which led to the breach, took place on June 22. JumpCloud detected suspicious activity on an internal system five days later, on June 27. At that point, the company reported no visible consequences for customers. As a response to the detected activity, JumpCloud decided to rebuild the affected infrastructure and change login details.
However, on July 5, the company observed suspicious activity in the “commands framework” of a small number of customers. The exact number of affected customers has not been specified by JumpCloud. Upon discovering this activity, the decision was made to rotate the API keys.
Resources
- Get the IOC from JumpCloud (Link)
