Indian cybersecurity firm CloudSEK says a threat actor gained access to its Confluence server using stolen credentials for one of its employees’ Jira accounts.
While some internal information, including screenshots of product dashboards and three customers’ names and purchase orders, was exfiltrated from its Confluence wiki, CloudSEK says the attackers didn’t compromise its databases.
“We are investigating a targeted cyber attack on CloudSEK. An employee’s Jira password was compromised to get access to our confluence pages,” the company’s CEO and founder, Rahul Sasi, said on Tuesday.
Instead, using the stolen Jira credentials, the threat actor could access training and internal documents, Confluence pages, and open-source automation scripts attached to Jira.
Threat actor claims to have access to CloudSEK’s network
A threat actor named ‘sedut’ is now trying to sell what they claim is access to CloudSek’s “networks, Xvigil, codebase, email, JIRA and social media accounts” on multiple hacking forums.
They also leaked images containing CloudSEK-related information, including usernames and passwords for accounts used to scrape the Breached and XSS hacking forums, instructions on how to use various website crawlers, as well as screenshots showing CloudSEK’s database schema, CloudSEK’s dashboard, and purchase orders.
The threat actor is now trying to sell CloudSEK’s alleged database for $10,000 and the codebase and employee/engineering product docs for $8,000 each.
“All the screenshots and purported accesses shared by the threat actor can be traced back to JIRA Tickets and internal confluence pages,” Sasi added Wednesday.
“Even the screenshots of Elastic DB, mySQL database schema, and XVigil/PX are from training documents stored on JIRA or Confluence.”
Allegedly stolen CloudSEK data up for sale (BleepingComputer)
Unnamed cybersecurity outfit is the main suspect
CloudSEK has already tightened its circle of suspects, and, in an update to his blog post, Sasi claims another cybersecurity company known for tracking dark web developments might be behind the breach.
“We suspect a notorious Cyber Security company that is into Dark web monitoring behind the attack,” CloudSEK’s CEO says.
“The attack and the indicators connect back to an attacker with a notorious history of using similar tactics we have observed in the past.”
BleepingComputer reached out earlier today for more info, but a company spokesperson refused to provide additional details on the name of the cybersecurity outfit suspected of the CloudSEK breach.
“As soon as we came to know about a targeted attack on CloudSEK, we went public with the information and in the spirit of transparency, we are updating all our findings on our blog post about it,” the CloudSEK spokesperson told BleepingComputer on Wednesday.