Security firm CloudSEK reports getting hit with a cyberattack

December 7, 2022
Cyber Security IT Firm CloudSEK India Cyberattack South Asia Compromised Account

On the 6th of December, security service provider CloudSEK published a detailed report of a cyberattack that had recently hit them. The security incident involved threat actors compromising a staff’s Jira SSO (single sign-on) to access the company’s Confluence pages.

CloudSEK confirms that no internal, customer database or server access has been compromised. However, they admitted that the threat actors obtained internal details, such as screenshots, bug reports, customer names, and purchase orders, end user license agreement, application dashboard, short company video clip, digital risk protection platform and POC list, domain and IP addresses, and Schema Diagrams.

 

CloudSEK suspects a hacker who has previously set up a CloudSEK-dedicated dark web account.

 

Based on the security firm’s report, a cybercriminal dubbed ‘sedut’ who had recently joined multiple dark web forums claimed to have access to CloudSEK’s networks. This alleged access is suspected of having compromised the security firm’s XVigil, Codebase, JIRA, email, and social media accounts.

The company also shared comprehensive details about the incident, confirming if the threat actor’s claims are true. The confirmed cases include the threat actors accessing CloudSEK’s Jira server, certain customer purchase orders stored on Jira, and a social media account used for takedown actions.

On the other hand, the security firm dismissed several of the threat actor’s claims, including access to its VPN, customer databases, internal servers, ElasticSearch database, GitLab, Bitbucket, GitHub access, XVigil, and Project X platforms.

Furthermore, investigations also show that the staff’s compromised Jira account involved the attackers hacking into their session cookies, leading to an account takeover. CloudSEK’s security team investigated how the attackers accessed the staff’s session cookies, which allowed them to compromise the Jira account.

From the firm’s investigation, the unauthorised access to the compromised Jira account began when the employee experienced a laptop performance issue caused by an installed Vidar stealer malware. This stealer log malware collected data from the laptop, including session cookies, and then posted it to a dark web marketplace.

CloudSEK stated that all screenshots and alleged access provided by the attackers are traced back to the compromised Jira user account and Confluence pages. Customers are ensured that their critical information is safely secured, and no data involved in the breach can be used for supply chain attacks.

About the author

Leave a Reply