Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

CloudSEK Blames Hack on Another Cybersecurity Company

Digital risk protection company CloudSEK claims that another cybersecurity firm is behind a recent data breach resulting from the compromise of an employee’s Jira account.

As part of the targeted cyberattack, an unknown party used session cookies for the employee’s Jira account to gain access to various types of internal data.

Digital risk protection company CloudSEK claims that another cybersecurity firm is behind a recent data breach resulting from the compromise of an employee’s Jira account.

As part of the targeted cyberattack, an unknown party used session cookies for the employee’s Jira account to gain access to various types of internal data.

Because the user never used a password for login, but relied on single sign-on (SSO) instead, and because his email was protected with multi-factor authentication (MFA), the attacker was unable to compromise the password or the email, CloudSEK says.

However, after taking over the account, the attacker did access customer names and purchase orders for three companies, as well as screenshots of the product dashboards. VPN and endpoint IP addresses were also accessed, and the attacker searched Confluence pages for credentials.

No customer data, customer login information, or credentials used on the portal were compromised during the incident, CloudSEK says.

This week, a threat actor going by the name of ‘sedut’ has created accounts on several cybercrime forums, claiming to have access to CloudSEK data, including XVigil, Codebase, email, Jira, and social media accounts, but the company says these claims are false.

In fact, CloudSEK says, the screenshots that the attacker has posted on the cybercrime forums can be traced to Jira/Confluence training pages and to Jira tickets.

“All the screenshots and purported accesses shared by the threat actor can be traced back to Jira Tickets and internal confluence pages. Even the screenshots of Elastic DB, mySQL database schema, and XVigil/PX are from training documents stored on Jira or Confluence,” CloudSEK says.

However, the company admitted that the attacker took over a social media account that CloudSEK uses for takedowns, and then tweeted from that account, tagging clients and media representatives.

“The attacker has zero reputation on dark web and created the dark web market account specifically to post CloudSEK-related information. No ransom was demanded from CloudSEK, nor were there any signs of a typical cybercrime group,” the company says.

CloudSEK also notes that the attack appears to have been orchestrated by a cybersecurity firm.

“We suspect a notorious cybersecurity company that is into dark web monitoring behind the attack. The attack and the indicators connect back to an attacker with a notorious history of using similar tactics we have observed in the past,” CloudSEK notes.

In late November, CloudSEK disclosed an incident where an employee’s laptop was infected with an information stealer (Vidar Stealer) after being sent to a third-party vendor to resolve performance issues.

“The stealer log malware uploaded the passwords/cookies on the employee’s machine to a dark web marketplace. The attacker purchased the logs the same day. The attacker was unable to use the other passwords due to MFA. Hence he used the session cookies to restore Jira sessions,” CloudSEK said at the time.

However, the incidents might not be related, and the company is still investigating how the attacker (sedut) gained access to the second employee’s session cookies.

Related: Leaked Algolia API Keys Exposed Data of Millions of Users

Related: California County Says Personal Information Compromised in Data Breach

Related: Toyota Discloses Data Breach Impacting Source Code, Customer Email Addresses

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack