CloudSEK Employee’s Jira Account Breached, the Network Remains Secure

Cybercriminals have acquired a CloudSEK employee’s Jira credentials and Confluence documents. They acquired this through malware installed on the employee’s laptop, confirmed CloudSEK in a blog released to update the public on the breach. According to company sources, the threat actor, sedut, has offered to sell the sensitive CloudSEK information on darknet forums. The compromised information includes XVigil, ProjectX, Codebase, Jira, email, and social media accounts. 

Sedut has no reputation on darknet forums, indicating they set up a new account to release CloudSEK’s data. In the CloudSEK blog, the company invalidated many of the cybercriminals’ claims of the breach’s extent. CloudSEK suspects it to be the work of a rival cybersecurity firm, as the attack does not indicate a typical cybercrime group. Back in October, CloudSEK documented a Jira software vulnerability that cybercriminals were actively exploiting in the wild. 

CloudSEK’s blog further informed the public that their team is investigating the data breach that occurred after “an employee’s Jira password was compromised…”. They also confirmed that “…the attacker has some internal details like screenshots, bug reports, names of customers, and schema diagrams.” 

Cybercriminals Breached Jira Application, but Couldn’t Do Much Damage 

The blog revealed that the security breach dates back to late November 2022. The breach occurred when CloudSEK approached a third-party provider (Axiom) to repair a laptop one of the employees was using. But the provider supposedly returned the laptop with a new Windows version and a stealer malware (Vidar). Later, in December, posts appeared on darknet forums selling the company’s stolen information. CloudSEK’s database was going for USD10,000, and the code for USD8,000. 

On further investigating the leak, CloudSEK determined that besides a few purchase orders and some customer information, most claims made by sedut are false — CloudSEK’s database and code are both secure. 

What CloudSEK is admitting, however, is that the cybercriminals accessed Jira tickets and internal Confluence pages. This is also evident from the screenshots on the darknet. The screenshots of Elastic DB, MySQL Schema, and xVigil, were taken from training documents stored on either Jira or Confluence. 

In terms of actual damage, the attackers only managed to compromise the names and purchase orders of three customers — a relatively minor cost compared to other data breaches affecting millions of users. CloudSEK confirms that no customer credentials and VPNs have been compromised, contrary to the attacker’s claims. 

MFA Saves the Day for CloudSEK 

The stealer log malware uploaded the Jira passwords/cookies on the company laptop to a darknet marketplace. On the same day, the attacker purchased the logs but couldn’t access other passwords, because they were protected with multi-factor authentication (MFA). This added security step is the gold standard in network security, and for good reason. The attacker then had to resort to using session cookies to restore Jira sessions.

CloudSEK keeps no sensitive client information, which, alongside MFA, is a surefire way to avoid legal claims and uphold data integrity. Their company “doesn’t store critical information about their customers,” states the official blog release. “CloudSEK is a SaaS company whose products leverage public data to provide external threat intelligence in the form of initial access vectors and TTPs. No data from this breach can be used to launch supply chain attacks on customers.”

These robust cybersecurity measures helped save CloudSEK from major financial and reputational damages. In similar cases, cybercriminals waste no time infecting company laptops with all types of malware, spyware, Trojan horses, ransomware, etc., to unleash devastating attacks. 

Access to a company’s hardware allows cybercriminals to choose from an unlimited array of attack vectors. These attacks aren’t available to them when launching online breaches or social engineering scams. A company with compromised devices must scan for other infected endpoint devices and quarantine them to local networks. 

Project Management and Messaging Platforms Are a Risk for Companies

Companies often use Jira — an agile management platform for software teams — in tandem with Confluence — a platform for managing written information. Atlassian owns both of these tools. Over 65,000 companies use Jira in integration with other software, and it captures about 36% of the project software management market. 

For many SMBs and corporate enterprises, project management platforms and communication tools are a serious vulnerability in their security apparatus. No matter how secure a network is, cybercriminals, with a little help from an unsuspecting employee, can bring it down like a house of cards with a single share over a messaging platform. 

Similarly, most project management tools aren’t as secure as encrypted applications. Cybercriminals can gain access to project management tools like Jira, Slack, Trello, Asana, ClickUp, Wrike, Monday, etc. once they have access they work up to socially engineer further information. 

Damage Could Have Been Far More Serious

While the cybercriminals did manage to gain access to Jira and Confluence documents, the damage’s extent was limited. In this instance, the fault doesn’t lie with either Jira, Confluence, or any project management tool or messaging application. 

The fault lies with the malicious third-party vendor that installed malware into the CloudSEK employee’s laptop. However, verifying ill intent is hard these days, especially since even established manufacturers like AMI MegaRPC have reported vulnerabilities in their BMC controllers. 

In retrospect, the damage could have been much, much worse. The MFA authentication saved the day for CloudSEK. And if the attack had been launched by an experienced cybercrime group with expertise in malware installation and network penetration, we would’ve had a different story to write.