Indian cybersecurity firm CloudSEK disclosed the breach incident on Tuesday, saying the actor gained access to its Confluence server using stolen credentials for one of its employees' Jira accounts.
Additionally, the attacker has some internal details like screenshots, bug reports, three customers' names, and schema Diagrams, but mentioned that attackers didn't compromise its database or server.
"We are investigating the details, and more information will be shared with you when we uncover them. Thank you for your trust. " - says Rahul Sasi, Founder, and CEO of CloudSEK.
Hackers claim to have access to CloudSEK's network
According to the post on the breached forum, the threat actor, ‘sedut’, claimed to have access to CloudSEK networks, which allegedly led to the compromise of XVigil, Codebase, Email, JIRA, and social media accounts.
For proof, the attacker has also leaked images containing CloudSEK-related information, including usernames and passwords for accounts used to scrape the Breached and XSS hacking forums, instructions on how to use various website crawlers, as well as screenshots showing CloudSEK's database schema, CloudSEK's dashboard, and purchase orders.
The attacker is selling CloudSEK's alleged database for $10,000 and the codebase and employee/ engineering product docs for $8,000 each.
But Sasi explained all the screenshots and purported accesses shared by the threat actor along with the screenshots of Elastic DB, MySQL database schema, and XVigil/PX can be traced back to JIRA Tickets and internal confluence pages. No database or server access was compromised.
Another Cyber Security firm may be behind the Attack
In the blog post, Sasi points out another cybersecurity company known for tracking dark web developments might be behind the breach.
With the investigation of the hacking incident, Sasi noted, the attack and the indicators connect back to an attacker with a notorious history of using similar tactics which were observed in the past.
CloudSEK confirms that a Jira user account was compromised where the attacker accessed Customer Names and Customer PO for 3 companies.
How was CloudSEK security breached?
In the investigation, CloudSEK found that one employee's laptop was having some issues which were then sent to a third-party vendor (Axiom) to fix it. The laptop was returned with a new copy of Windows and a stealer log malware (Vidar Stealer ) installed.
The stealer log malware uploaded the passwords/cookies on the employee’s machine to a dark web marketplace. The attacker purchased the logs the same day. The attacker was unable to use the other passwords due to MFA. - Sasi wrote.