uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

State-Sponsored North Korean Hackers Suspected in JumpCloud Supply

In a manner reminiscent of the supply chain attack against 3CX, an analysis of the indicators of compromise (IoCs) linked to the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups.

SentinelOne, which mapped out the infrastructure related to the intrusion to find underlying patterns, provided the findings. It's important to note that JumpCloud blamed an unidentified "sophisticated nation-state sponsored threat actor" for the attack last week. ".

Tom Hegel, a security researcher at SentinelOne, told The Hacker News that North Korean threat actors exhibit a high degree of ingenuity and strategic awareness in their targeting techniques. The research's conclusions show that these actors used a successful and multifaceted strategy to infiltrate developer environments. ".

They actively look for networks and tools that can open doors to bigger opportunities. Prior to engaging in theft with a financial motivation, they frequently carry out multiple levels of supply chain intrusions.
".

According to Reuters, in a related development, CrowdStrike, which is collaborating with JumpCloud to investigate the incident, has linked the attack to a North Korean actor going by the stage name Labyrinth Chollima, a sub cluster of the notorious Lazarus Group.

According to the news agency, the infiltration was used as a "springboard" to target cryptocurrency companies, indicating an effort on the part of the adversary to generate illegitimate income for the country under sanctions.

The revelations also line up with a low-volume social engineering campaign that GitHub has identified. This campaign uses a combination of malicious npm package dependencies and repository invitations to target the personal accounts of employees of technology companies. These accounts are related to the blockchain, cryptocurrency, or online gambling industries.

The North Korean hacker collective known as Jade Sleet (also known as TraderTraitor), which the Microsoft subsidiary tracks, was blamed for the campaign.

According to GitHub's Alexis Wales, "Jade Sleet primarily targets users associated with cryptocurrency and other blockchain-related organizations, but it also targets vendors used by those firms.".

The attack chains entail creating phony accounts on GitHub and other social media platforms like LinkedIn, Slack, and Telegram, though in some instances the threat actor is thought to have taken over real accounts.

Jade Sleet contacts the targets while posing as someone else, asks them to collaborate on a GitHub repository, and then tricks them into cloning and running its contents. This decoy software contains malicious npm dependencies that serve as first-stage malware, downloading and executing second-stage payloads on the compromised machine.

According to GitHub, the malicious npm packages are a part of a campaign that first came to light last month when Phylum described a supply chain threat involving a special execution chain that uses two false modules to fetch an unknown piece of malware from a remote server.

According to SentinelOne's most recent analysis, 144.217.
92[.
The JumpCloud attack's associated IP address, ]197, resolves to npmaudit[. ]com, one of the eight websites that GitHub has identified as being used to download the second-stage malware. 23.29 is a different IP address.
115[.
171 maps to the npm-pool. ]org.

Hegel said that it was clear that North Korean threat actors were constantly adapting and looking into new ways to infiltrate specific networks. The JumpCloud intrusion serves as an excellent example of their propensity for supply chain targeting, which opens up a wide range of potential future intrusions. ".

Hegel continued, "The DPRK exhibits a profound understanding of the advantages derived from meticulously choosing high-value targets as a pivot point to conduct supply chain attacks into productive networks.