Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

CloudSEK Blames Hack on Another Cybersecurity Company

Digital risk protection company CloudSEK claims that another cybersecurity firm is behind a recent data breach resulting from the compromise of an employee’s Jira account.

As part of the targeted cyberattack, an unknown party used session cookies for the employee’s Jira account to gain access to various types of internal data.

Digital risk protection company CloudSEK claims that another cybersecurity firm is behind a recent data breach resulting from the compromise of an employee’s Jira account.

As part of the targeted cyberattack, an unknown party used session cookies for the employee’s Jira account to gain access to various types of internal data.

Because the user never used a password for login, but relied on single sign-on (SSO) instead, and because his email was protected with multi-factor authentication (MFA), the attacker was unable to compromise the password or the email, CloudSEK says.

However, after taking over the account, the attacker did access customer names and purchase orders for three companies, as well as screenshots of the product dashboards. VPN and endpoint IP addresses were also accessed, and the attacker searched Confluence pages for credentials.

No customer data, customer login information, or credentials used on the portal were compromised during the incident, CloudSEK says.

This week, a threat actor going by the name of ‘sedut’ has created accounts on several cybercrime forums, claiming to have access to CloudSEK data, including XVigil, Codebase, email, Jira, and social media accounts, but the company says these claims are false.

In fact, CloudSEK says, the screenshots that the attacker has posted on the cybercrime forums can be traced to Jira/Confluence training pages and to Jira tickets.

“All the screenshots and purported accesses shared by the threat actor can be traced back to Jira Tickets and internal confluence pages. Even the screenshots of Elastic DB, mySQL database schema, and XVigil/PX are from training documents stored on Jira or Confluence,” CloudSEK says.

Advertisement. Scroll to continue reading.

However, the company admitted that the attacker took over a social media account that CloudSEK uses for takedowns, and then tweeted from that account, tagging clients and media representatives.

“The attacker has zero reputation on dark web and created the dark web market account specifically to post CloudSEK-related information. No ransom was demanded from CloudSEK, nor were there any signs of a typical cybercrime group,” the company says.

CloudSEK also notes that the attack appears to have been orchestrated by a cybersecurity firm.

“We suspect a notorious cybersecurity company that is into dark web monitoring behind the attack. The attack and the indicators connect back to an attacker with a notorious history of using similar tactics we have observed in the past,” CloudSEK notes.

In late November, CloudSEK disclosed an incident where an employee’s laptop was infected with an information stealer (Vidar Stealer) after being sent to a third-party vendor to resolve performance issues.

“The stealer log malware uploaded the passwords/cookies on the employee’s machine to a dark web marketplace. The attacker purchased the logs the same day. The attacker was unable to use the other passwords due to MFA. Hence he used the session cookies to restore Jira sessions,” CloudSEK said at the time.

However, the incidents might not be related, and the company is still investigating how the attacker (sedut) gained access to the second employee’s session cookies.

Related: Leaked Algolia API Keys Exposed Data of Millions of Users

Related: California County Says Personal Information Compromised in Data Breach

Related: Toyota Discloses Data Breach Impacting Source Code, Customer Email Addresses

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...