An analysis of the indicators of compromise (IoCs) associated with the JumpCloud hack uncovered evidence of the involvement of North Korean state-backed groups in a format reminiscent of supply chain attacks targeting 3CX.
The findings, from SentinelOne, mapped the infrastructure associated with the intrusion to reveal underlying patterns. It’s worth noting that JumpCloud announced last week that the attack was carried out by an anonymous “sophisticated nation-state-sponsored threat actor.”
“North Korean threat actors demonstrate a high level of creativity and strategic awareness in their targeting strategies,” SentinelOne security researcher Tom Hegel told The Hacker News. “The findings highlight the success of the multi-pronged approach these attackers employed to compromise development environments.”
“They are actively seeking access to tools and networks that act as gateways to broader opportunities. It is noteworthy that the tendency to
In a related development, CrowdStrike, which is working with Jumpcrowd to investigate the incident, has identified North Korean attackers known as Labyrinth Cholima, a sub-cluster within the infamous Lazarus Group, according to Reuters. identified an attack on
According to the news agency, the intrusion was used as a “stepping stone” to target cryptocurrency companies, suggesting that some of the adversaries sought to generate illegal revenues in sanctioned countries.
This exposure also used a combination of repository invites and malicious npm package dependencies, identified by GitHub, to be associated with a low-volume social engineering campaign targeting the personal accounts of employees of technology companies. I am doing it. Targeted accounts are associated with blockchain, cryptocurrency, online gambling, or cybersecurity sectors.
A Microsoft subsidiary has linked the campaign to a North Korean hacking group that it tracks under the name Jade Threat (aka Trader Traitor).
“Jade Sleet primarily targets users associated with cryptocurrencies and other blockchain-related organizations, but also targets vendors used by those companies,” Alexis Wales of GitHub said in July 2023. 18, in a report published today.
Attack chains include setting up fake personas on GitHub and other social media services such as LinkedIn, Slack, Telegram, etc. In some cases, threat actors are believed to have taken control of legitimate accounts. increase.
Under its assumed persona, Jade Sleet initiates contact with the target, inviting the target to collaborate on a GitHub repository and persuading the victim to clone and run the content. This content downloads and executes a second stage payload on the infected machine.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
According to GitHub, the malicious npm package was part of a campaign that first surfaced last month, in which Phylum used two malicious modules to remotely acquire previously unknown malware. We detailed supply chain threats involving the chain. server.
SentinelOne said in its latest analysis, 144.217.92.[.]IP address 197 linked to the JumpCloud attack resolves to npmaudit.[.]com is one of eight domains listed by GitHub as being used to fetch second stage malware. Second IP address 23.29.115[.]171 maps to npm-pool[.]organization.
“It’s clear that North Korean threat actors are continuously adapting and exploring new techniques to penetrate targeted networks,” Hagel said. “The JumpCloud intrusion underscores their propensity to target their supply chain, which has spawned numerous potential intrusions that follow.”
“North Korea has demonstrated a deep understanding of the benefits that can be gained from carefully selecting high-value targets as the linchpin for conducting supply chain attacks on fruitful networks,” added Hegel.
