JumpCloud says a "sophisticated nation-state" attacker broke into its IT systems and targeted some of its customers.

The identity and access management provider, particularly popular with sysadmins wrangling Macs on corporate networks, said it first discovered signs of an intrusion on June 27. The biz at the time determined persons unknown got "unauthorized access to a specific area of our infrastructure" using a "sophisticated spear-phishing campaign" that began five days prior.

JumpCloud, again at that time, didn't have any evidence that customer data or accounts were affected, and to be safe rotated its credentials, rebuilt the compromised infrastructure, and "took a number of other actions to further secure our network and perimeter," CISO Bob Phan penned in a postmortem this month.

The company also hired an incident response firm and called in law enforcement to assist with its investigation of the intrusion, Phan said. Then JumpCloud got the bad news.

At 0335 UTC on July 5, the biz spotted "unusual activity in the commands framework for a small set of customers," Phan wrote. In response, it performed forced rotation of all admin API keys 20 hours later and began working with affected customers.

"Continued analysis uncovered the attack vector: data injection into our commands framework," according to the writeup. "The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers." This is hardly reassuring, since it indicates a highly focussed attack crew.

JumpCloud did not respond to The Register's questions about the snafu, including what kinds of customers were targeted and how many of them were affected, what data was accessed in the attack, who was responsible for the break-in, and what the miscreants' motivation appeared to be. 

A spokesperson instead sent the following statement

In addition to the incident report, JumpCloud also published indicators of compromise (IOCs) that it observed. It says it will update the list, which includes IP addresses, domain names, and cryptographic hashes of stuff that the attackers used, if it finds further evidence.

The JumpCloud security breach follows a series of other high-profile attacks by nation-state sponsored gangs including a Zimbra email bug under exploit, likely by Russian spies, and an alleged China-based group's attack on Microsoft's hosted email services. ®

https://www.theregister.com//2023/07/18/jumpcloud_commands_hacking/