Digital risk protection company CloudSEK claims that another cybersecurity firm is behind a recent data breach resulting from the compromise of an employee’s Jira account.
As part of the targeted cyberattack, an unknown party used session cookies for the employee’s Jira account to gain access to various types of internal data.
Because the user never used a password for login, but relied on single sign-on (SSO) instead, and because his email was protected with multi-factor authentication (MFA), the attacker was unable to compromise the password or the email, CloudSEK says.
However, after taking over the account, the attacker did access customer names and purchase orders for three companies, as well as screenshots of the product dashboards. VPN and endpoint IP addresses were also accessed, and the attacker searched Confluence pages for credentials.
No customer data, customer login information, or credentials used on the portal were compromised during the incident, CloudSEK says.
This week, a threat actor going by the name of ‘sedut’ has created accounts on several cybercrime forums, claiming to have access to CloudSEK data, including XVigil, Codebase, email, Jira, and social media accounts, but the company says these claims are false.
In fact, CloudSEK says, the screenshots that the attacker has posted on the cybercrime forums can be traced to Jira/Confluence training pages and to Jira tickets.
“All the screenshots and purported accesses shared by the threat actor can be traced back to Jira Tickets and internal confluence pages. Even the screenshots of Elastic DB, mySQL database schema, and XVigil/PX are from training documents stored on Jira or Confluence,” CloudSEK says.
However, the company admitted that the attacker took over a social media account that CloudSEK uses for takedowns, and then tweeted from that account, tagging clients and media representatives.
“The attacker has zero reputation on dark web and created the dark web market account specifically to post CloudSEK-related information. No ransom was demanded from CloudSEK, nor were there any signs of a typical cybercrime group,” the company says.
CloudSEK also notes that the attack appears to have been orchestrated by a cybersecurity firm.
“We suspect a notorious cybersecurity company that is into dark web monitoring behind the attack. The attack and the indicators connect back to an attacker with a notorious history of using similar tactics we have observed in the past,” CloudSEK notes.
In late November, CloudSEK disclosed an incident where an employee’s laptop was infected with an information stealer (Vidar Stealer) after being sent to a third-party vendor to resolve performance issues.
“The stealer log malware uploaded the passwords/cookies on the employee’s machine to a dark web marketplace. The attacker purchased the logs the same day. The attacker was unable to use the other passwords due to MFA. Hence he used the session cookies to restore Jira sessions,” CloudSEK said at the time.
However, the incidents might not be related, and the company is still investigating how the attacker (sedut) gained access to the second employee’s session cookies.
Ionut Arghire is an international correspondent for SecurityWeek. Previous Columns by Ionut Arghire:Tags: