Researchers tracking the JumpCloud cyber attack have identified the cybercriminal group that compromised U.S.-based software solutions company through what appeared to be a spearphishing campaign.
Researchers at Mandiant attributed the origin of these intrusions to UNC4899, an actor connected to the Democratic People’s Republic of Korea (DPRK), known for its history of targeting companies operating within the cryptocurrency vertical.
According to the Mandiant research report, the JumpCloud cyber attack by UNC4899 affected less than five of their customers and under 10 devices in total.
JumpCloud cyber attack by UNC4899
JumpCloud is a cloud-based directory as a-service platform that enables securing access and user identification among other services.
The company confirmed and has been updating users about the JumpCloud cyber attack that was discovered on June 27, 2023.
The company suffered unauthorized access to a specific area of its infrastructure on June 22.
Unusual activities were later discovered in the commands framework for a limited set of customers, the company blog stated about the JumpCloud cyber attack by UNC4899.
The following alerts were made to prevent further damage from the JumpCloud cyber attack by UNC4899 –
Among the malicious IP addresses were the following asked to be blocked –
- 254.24.19
- 152.67.39
- 39.103.3
- 187.75.186
- 223.86.8
How the supply chain attack on JumpCloud was executed
Besides attributing the JumpCloud cyber attack to UNC4899, Mandiant noted that this hacker group was focused on cryptocurrency fraud.
Other hacker groups from North Korea (DPRK), including the financially motivated group TraderTraitor, are also suspected to have a hand in the JumpCloud cyber attack.
A Ruby script executed through a JumpCloud agent was found for malicious data injection. Evidence of compromise was found in the JumpCloud agent log in the path /private/var/log/jcagent.log.
The systems targeted in the JumpCloud cyber attack by UNC4899 were four OSX Ventura systems versions 13.3 or 13.4.1. Mandiant found new forensic artifacts related to Apple’s XProtect Behavioral Service.
The Signing identifiers connected to the payloads namely the exec_signing_id field in the XPdb led to three unique signatures on malicious files. They were –
- mac-555549440ea0d64e96bb34428e08cc8d948b40e7
- p-macos-55554944c2a6eb29a7bc3c73acdaa3e0a7a8d8c7
- securityd-555549440fca1d2f1e613094b0c768d393f83d7f
Stating that the hackers leveraged JumpCloud to gain access to the environment, the Mandiant blog read, “On multiple systems, XPdb entries for the malware contained the parent process of the JumpCloud agent, further evidence that the threat actor leveraged JumpCloud to gain initial access to victim environments.”
The FSEvents gave insights into the removal of payloads and files that existed on the disk. It detailed the creation, modification, permission changes, renaming, and deletion of files.
“Within 24 hours of gaining initial access to systems in the victim environment, the threat actor deployed additional backdoors and established persistence via plists,” the blog further added.
The naming convention of the Ruby script and second-stage payloads made it clear that the cybercriminals made an effort to have the malicious files appear as legitimate files and applications.
STRATOFEAR, a backdoor for taking commands from the C2 servers was also found. Every instance of STRATOFEAR followed the deployment of FULLHOUSE.DOORED as a first-stage backdoor.
Several samples were collected as part of the investigations against the JumpCloud cyber attack by UNC4899 including a Windows DLL protected via VMProtect which was also checked on VirusTotal. It is speculated that the DLL was a Windows version of STRATOFEAR.
TIEDYE was also speculated to be deployed as a second-stage backdoor by FULLHOUSE.DOORED.
Researchers found that TIEDYE had similarities with RABBITHUNT, a backdoor in C++.
It is speculated that UNC4899 targets C-Suite executives from fintech and cryptocurrency companies in the United States, Hong Kong, South Korea, and Singapore.
Addressing the sharing of information between similar hacker groups, the blog read, “The overlaps in targeting and sharing of infrastructure amongst DPRK groups highlights the continued targeting and coordinated interest in the cryptocurrency field.”