An Indian cyber security firm, CloudSEK, became the victim of a cyber security incident when an unknown threat actor managed to access its Confluence server.
According to CloudSEK’s blog post on the incident, its founder and CEO Rahul Sasi wrote that the hacker used stolen credentials from one of CloudSEK employees’ Jira accounts. Rahul further stated that the threat actor (s) compromised the employee’s Jira password to access the company’s Confluence pages.
Moreover, the hacker accessed some internal data such as three customer names with their purchase orders, bug reports, product dashboard screenshots, and Schema Diagrams obtained from the Confluence wiki.
CloudSEK also confirmed that server or database access wasn’t compromised. An investigation into the incident was quickly launched. Outlining possible suspects, Sasi claimed that another cyber security firm having a reputation for tracking dark web happenings could be responsible.
“We suspect a notorious Cyber Security company that is into Dark web monitoring behind the attack. The attack and the indicators connect back to an attacker with a notorious history of using similar tactics we have observed in the past.”Rahul Sasi
Around the same time when CloudSEK discovered the attack, that is on 6th December, Tuesday, Cyble Research & Intelligence Labs (CRIL) cyber security experts noticed a threat actor using the nick’ sedut’ who claimed to have breached the security of CloudSEK Info Security Pvt Ltd. The actor posted about hacking into the Indian firm on multiple cybercrime forums.
Cyble researchers suspect it was a targeted attack on CloudSEK and that the attacker’s objective was to negatively impact the company’s reputation within the digital threat intelligence fraternity. Revealing the attacker’s claims, Cyble researchers wrote in their blog post that the attacker had multiple accesses and was openly offering the data to buyers on these forums.
The data on sale included:
- Pre-sales info.
- VPN credentials.
- Purchase orders.
- Company credentials.
- Extensive clientele data.
- Project-related databases.
- Confidential source codes.
- Sensitive infrastructure details.
- Engineering products-related data.
Moreover, the threat actor claimed to have had access to CloudSEK’s ecosystem for several months. He supported this claim by sharing multiple screenshots and videos confirming they had access to the company’s internal servers.
As shown in the first screenshot, the hacker also leaked images that contained account usernames and passwords of accounts used for scraping the XSS and Breached hacking forums, and instructions on using different website crawlers, among other data.
The database is for sale for $10,000, and the engineering/employee product files are $8000 each.
How Did it Occur?
Sasi revealed that the hacker used the stolen Jira account credentials to access internal documents, training docs, open-source automation scripts, and Confluence pages, as these were attacked to the account.
CloudSEK also confirmed that the Jira user didn’t use a password but only SSO; his email was also protected by MFA (multi-factor authentication). So, the Jira password and the user’s email account weren’t compromised.
Instead, the company believes the threat actor compromised the session cookies of the Jira user, allowing them to take over the account. How the attacker got hold of the session cookies is currently under investigation.