One of the JumpCloud customers compromised by last month’s cyberattack was a U.S.-based software firm that ultimately had four macOS devices targeted by a cryptocurrency-seeking APT actor, according to Mandiant research released Monday.
The incident response firm hasn’t observed any data theft and “there is no evidence to suggest cascading compromise,” Mark Golembiewski, incident response manager at Mandiant, a unit of Google Cloud, said via email.
“Mandiant does not have full visibility into all downstream victims of this supply chain attack,” Golembiewski said. “However, where we have visibility, we have not identified any successful cryptocurrency theft as part of this campaign.”
Targeting credentials and reconnaissance data allowed Mandiant to attribute the attack to a North Korea-linked threat actor it identifies as UNC4899. The financially-motivated APT actor likely corresponds with the group federal authorities identify as TraderTraitor, Mandiant said.
JumpCloud’s incident response partner CrowdStrike identifies the prolific threat actor as Labyrinth Chollima, a sub-group of Lazarus that has been active since at least 2009.
The threat actor’s tactics, techniques and procedures were novel and reflect the evolution and increased sophistication of North Korea-linked APT actors as they target cryptocurrency assets via supply chain attacks and macOS systems, Golembiewski said.
JumpCloud, an identity and access management provider, previously said the impact of the cyberattack was limited to fewer than five customers and fewer than 10 devices. If those numbers hold, Mandiant’s incident response efforts with one of the victims spans at least 40% of all devices compromised by the attack.
JumpCloud did not respond to questions or a request for new details that may have emerged since its most recent security incident update Thursday.
Mandiant observed the threat actors order of operations during its analysis of the four targeted macOS devices, which include file creation, modification and permission changes.
“Initial access was gained by compromising JumpCloud and inserting malicious code into their commands framework. In at least one instance, the malicious code was a lightweight Ruby script that was executed via the JumpCloud agent,” Mandiant said in a blog post.
“The script contained instructions to download and execute a second-stage payload,” Mandiant said. “Within 24 hours of gaining initial access to systems in the victim environment, the threat actor deployed additional backdoors and established persistence via plists. The initial payloads and second stage backdoors were removed from the system.”
The attack against JumpCloud and some of its customers and the multitiered supply chain attack against Trading Technologies and 3CX in April exemplify a cascading effect, Mandiant said. Threat actors are gaining access to service providers to compromise downstream victims.