The JumpCloud Attack: What We Know So Far

user profile
Co-Founder & CTO

In a recent cybersecurity incident, North Korean hackers targeted JumpCloud, an enterprise software company. Mandiant, CrowdStrike and SentinelOne attributed the breach to North Korea’s Reconnaissance General Bureau (RGB), a unit known for its attacks on cryptocurrency firms and stealing passwords from executives and security teams.

The original response came from Mandiant, a cybersecurity firm assisting one of JumpCloud’s affected customers. The hackers, termed “UNC4899” by Mandiant, made a critical mistake by exposing their real-world IP addresses during the cyberattack, which would usually be masked by VPNs. This error exposed their operations emanating from Pyongyang. 

On July 12, JumpCloud released some details of the attack. They confirmed that five of its corporate customers and around ten devices were impacted by the incident. After the attack was detected in June, JumpCloud reset its customer API keys. Other cybersecurity firms, including SentinelOne and CrowdStrike, also confirmed North Korea’s involvement in the attack. Despite enhancements to threat actor capabilities by North Korean hackers, Mandiant’s CTO Charles Carmakal pointed out that the hackers also made mistakes that aided in attributing several intrusions to them.

On July 20, JumpCloud CISO Bob Phan released a statement confirming the location of the malicious actors. He also mentioned that JumpCloud is cooperating with the federal government and CrowdStrike to continue the response and mitigation of future incidents. Finally, on July 24, Mandiant released details of its response, including a detailed explanation of the threat actor’s strategy and how they were exposed.

Cycode’s head of research, Alex Ilgayev, commented the following:

“The attack’s most interesting aspect, which is yet unknown, is how the attacker exploited JumpCloud’s infrastructure to execute code on its clients. It is yet another case proving the importance of tools and procedures protecting an organization’s software delivery pipeline, one of its most crucial aspects. Our industry has developed standards, such as the ‘Secure Software Development Framework’ (SSDF) by NIST and the ‘Supply-chain Levels for Software Artifacts’ (SLSA), built specifically for this purpose. By implementing guardrails to protect software artifact integrity, these attacks could have been mitigated, even by nation-state actors.”

What is a Software Supply Chain Attack?

A software supply chain attack is a kind of cyberattack wherein a hacker infiltrates a system through an outside partner or service provider with access to systems and data. This can occur at any point along the software supply chain, including (more and more) during the software development process.

The target of these attacks is typically the software being developed and its users. Attackers can manipulate the software by inserting malicious code into it, often at its source, in the code repository or build process, to name two examples. When the compromised software gets distributed and installed by the end users, it can provide the attacker with a range of capabilities. These can include data exfiltration, remote control, or further lateral movement within the network.

One of the most widely-known examples of such an attack is the SolarWinds incident from 2020, wherein suspected Russian hackers inserted malicious code into the software update process of the SolarWinds Orion platform, an IT monitoring and management software. This allowed them to access the networks of thousands of organizations around the world, including U.S. government agencies. 

Although JumpCloud’s attack only affected a small minority of their customers, they had a vulnerable attack surface liable to this threat. If the hackers had not made an error in failing to mask their IP address, it could have resulted in a longer period being undetected and even greater security consequences. And unfortunately, many large organizations have similar flaws in their software delivery process which they are not even aware of.

How to Prepare Against and Reduce Risks of these Attacks

Enterprise-level companies can significantly reduce the risks of software supply chain attacks like the SolarWinds and JumpCloud incidents by adopting robust cybersecurity measures. The first step is gaining and maintaining a comprehensive understanding of the software supply chain, which involves knowing software vendors, their security practices, and the components used in the software. In addition, firms should keep all software up to date, applying patches promptly to prevent exploitation of known vulnerabilities. Regular security audits, risk assessments, and continuous monitoring can identify potential vulnerabilities and ensure the early detection of any threats.

Additionally, adherence to established security standards such as the SLSA 1.0 (Supply-chain Levels for Software Artifacts) and SSDF (Secure Software Development Framework), the latest best practice standards for software supply chain security compliance, substantially enhance the protection of a company against these attacks. Compliance with these best practices helps companies manage software supply chain security risks, ensuring they employ proven strategies to safeguard their systems. Cybersecurity professionals can guide enterprises through the process of achieving SLSA 1.0 and SSDF standards.

Moreover, partnering with specialized cybersecurity platforms like Cycode can provide additional layers of protection. Cycode helps application security professionals with application security and posture management (ASPM), offering visibility into and remediation of vulnerabilities from code to cloud. Their services include detecting hardcoded secrets, identifying source code leaks, build hardening, performing software composition analysis (SCA), and conducting Static Application Security Testing (SAST) and Application Security Orchestration and Correlation (ASOC). Cycode can help secure the software supply chain, not just from malicious third-party attacks, but also from potential insider threats, code tampering, and other vulnerabilities. Learn more here, or schedule a time to talk to a cybersecurity expert.

Originally published: August 9, 2023