North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack
Contents
North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack
In July 2023, Mandiant Consulting responded to a supply chain compromise affecting a US-based software solutions entity. We believe the compromise ultimately began as a result of a sophisticated spear phishing campaign aimed at JumpCloud, a zero-trust directory platform service used for identity and access management. JumpCloud reported this unauthorized access impacted fewer than five customers and less than 10 devices.The details in this blog post are based on Mandiant’s investigation into the attack against one of JumpCloud’s impacted customers.
Mandiant attributed these intrusions to UNC4899, a Democratic People's Republic of Korea (DPRK)-nexus actor, with a history of targeting companies within the cryptocurrency vertical. Mandiant assesses with high confidence that UNC4899 is a cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau (RGB). Based on reporting from trusted partners, UNC4899 likely corresponds to TraderTraitor, a financially motivated DPRK threat group that primarily …
In July 2023, Mandiant Consulting responded to a supply chain compromise affecting a US-based software solutions entity. We believe the compromise ultimately began as a result of a sophisticated spear phishing campaign aimed at JumpCloud, a zero-trust directory platform service used for identity and access management. JumpCloud reported this unauthorized access impacted fewer than five customers and less than 10 devices.The details in this blog post are based on Mandiant’s investigation into the attack against one of JumpCloud’s impacted customers.
Mandiant attributed these intrusions to UNC4899, a Democratic People's Republic of Korea (DPRK)-nexus actor, with a history of targeting companies within the cryptocurrency vertical. Mandiant assesses with high confidence that UNC4899 is a cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau (RGB). Based on reporting from trusted partners, UNC4899 likely corresponds to TraderTraitor, a financially motivated DPRK threat group that primarily …
IoC
08607faad41009e31c094539b20b615b3e7a71e716f2bca12e4a097f38f14466
146.19.173.125
155597a7985cb8f7a6e748e5e108f637
15bfe67e912f224faef9c7f6968279c6
175.45.178.0
18:51:57
198.244.135.250
23.227.202.54
27db0f17282a4c4507266f3c4d9c4527
28c3d359364bf5d64a864f08d4743ea08e48017be27fda8cf53fb5ba307583b4
38.132.124.88
39a421ea89035ffcc3dea0cd0f10964e
48eaf2a7e97189709fb3789f0c662e1c
555549440ea0d64e96bb34428e08cc8d948b40e7
555549440fca1d2f1e613094b0c768d393f83d7f
55554944c2a6eb29a7bc3c73acdaa3e0a7a8d8c7
5701d7bcf809d5ffc9061daeb24d3e7cc6585d9b42bacf94fc68a6c500542f8c
5d18443f88f38ad7e3de62ac46489f649b4e8183b76fba902fb9a9ccf8a0d5c8
65baa3c1a22052fe1f70c9d2cbe11de4
6d8194c003d0025fa92fbcbf2eadb6d1
6f1c47566a46d252885858f928a3b855fb3fd03941e3571d152562d0c75c4d47
88.119.174.148
88f23c22a7f9da8b5087a3fa9c76fd5c79903d89ceda4152943cadc0797cbcb8
9b1c1013ad8d2c0144af74eff5a2afc454b7b858bb7a5cba312bfb0f531c8930
a8b1c5eb2254e1a3cec397576ef42da038600b4fa7cd1ab66472d8012baabf17
a90561efc22bdd777956cc67d5b67e3ec3c1b4f35a64f4328e40615d2ab24186
b0e0e0d258fcd55d3cc5af2b4669e014
c1fc3213bdb8f3139fd5d4b13e242441016c3c84
e5d42bee74a1e1813e8aad9a46a5ebc219953926
e901d9279d8f2ad96d741e7cd92770c0ce3ff3f4c029dbf26177b4e09228fe66
f0854a28209e07a70d7847af4b2632e697bcb95f2c8fcead41eb9314710bd0c2
ff975b95cfc65b6d19ca18993322cfeed282de04
http://175.45.178.0/24
http://198.244.135.250
http://basketsalute.com
http://contortonset.com
http://primerosauxiliosperu.com
http://prontoposer.com
http://relysudden.com
http://rentedpushy.com
http://wasxxv.site
146.19.173.125
155597a7985cb8f7a6e748e5e108f637
15bfe67e912f224faef9c7f6968279c6
175.45.178.0
18:51:57
198.244.135.250
23.227.202.54
27db0f17282a4c4507266f3c4d9c4527
28c3d359364bf5d64a864f08d4743ea08e48017be27fda8cf53fb5ba307583b4
38.132.124.88
39a421ea89035ffcc3dea0cd0f10964e
48eaf2a7e97189709fb3789f0c662e1c
555549440ea0d64e96bb34428e08cc8d948b40e7
555549440fca1d2f1e613094b0c768d393f83d7f
55554944c2a6eb29a7bc3c73acdaa3e0a7a8d8c7
5701d7bcf809d5ffc9061daeb24d3e7cc6585d9b42bacf94fc68a6c500542f8c
5d18443f88f38ad7e3de62ac46489f649b4e8183b76fba902fb9a9ccf8a0d5c8
65baa3c1a22052fe1f70c9d2cbe11de4
6d8194c003d0025fa92fbcbf2eadb6d1
6f1c47566a46d252885858f928a3b855fb3fd03941e3571d152562d0c75c4d47
88.119.174.148
88f23c22a7f9da8b5087a3fa9c76fd5c79903d89ceda4152943cadc0797cbcb8
9b1c1013ad8d2c0144af74eff5a2afc454b7b858bb7a5cba312bfb0f531c8930
a8b1c5eb2254e1a3cec397576ef42da038600b4fa7cd1ab66472d8012baabf17
a90561efc22bdd777956cc67d5b67e3ec3c1b4f35a64f4328e40615d2ab24186
b0e0e0d258fcd55d3cc5af2b4669e014
c1fc3213bdb8f3139fd5d4b13e242441016c3c84
e5d42bee74a1e1813e8aad9a46a5ebc219953926
e901d9279d8f2ad96d741e7cd92770c0ce3ff3f4c029dbf26177b4e09228fe66
f0854a28209e07a70d7847af4b2632e697bcb95f2c8fcead41eb9314710bd0c2
ff975b95cfc65b6d19ca18993322cfeed282de04
http://175.45.178.0/24
http://198.244.135.250
http://basketsalute.com
http://contortonset.com
http://primerosauxiliosperu.com
http://prontoposer.com
http://relysudden.com
http://rentedpushy.com
http://wasxxv.site