Digital risk protection firm CloudSEK claims another cybersecurity firm is behind a recent data breach stemming from the compromise of an employee’s Jira account.
As part of a targeted cyberattack, an unknown party used session cookies in employee Jira accounts to access various types of internal data.
Users did not use passwords to log in, but instead used single sign-on (SSO), and emails were protected with multi-factor authentication (MFA), so the attackers could not compromise passwords or emails. Say.
However, after taking over the accounts, the attackers had access to three companies’ customer names and purchase orders, as well as screenshots of their product dashboards. Having also accessed her IP address on the VPN and endpoint, the attackers searched for credentials on her Confluence page.
According to CloudSEK, no customer data, customer logins or credentials used in the portal were compromised during the incident.
This week, a threat actor named “sedut” created accounts on multiple cybercrime forums and claimed to have access to CloudSEK data, including XVigil, Codebase, emails, Jira, and social media accounts, although the company claims these is false.
In fact, according to CloudSEK, screenshots posted by the attackers on cybercrime forums can be traced to Jira/Confluence training pages and Jira tickets.
“All screenshots shared and claimed access by threat actors can be traced back to Jira tickets and internal confluence pages. It comes from training documents stored in Jira or Confluence,” says CloudSEK.
However, the company admitted that the attackers hijacked the social media accounts used by CloudSEK for takedowns, tweeted from those accounts, and tagged clients and media personnel.
“The attacker has no dark web reputation and created a dark web market account specifically to post CloudSEK related information. We didn’t have any,” the company said.
CloudSEK also points out that the attack appears to have been orchestrated by a cybersecurity firm.
“We suspect a notorious cybersecurity firm involved in dark web surveillance behind the attack. people,” said CloudSEK.
In late November, CloudSEK disclosed an incident in which an employee’s laptop was infected with an information-stealing program (Vidar Stealer) after being sent to a third-party vendor to fix performance issues.
“Stealer log malware uploaded employee machine passwords/cookies to a dark web marketplace. The attacker purchased the logs on the same day. So he used the session cookie to restore the Jira session,” CloudSEK said at the time.
However, the incidents may not be related and the company is investigating how the attacker (sedut) accessed a second employee’s session cookies.
RELATED: Leaked Algolia API Keys Exposed Data of Millions of Users
RELATED: California County says personal information compromised in data breach
RELATED: Toyota Discloses Source Code, Data Breach Affecting Customer Email Addresses