Indian cybersecurity firm CloudSEK claims a malicious actor gained access to its Confluence server using stolen credentials for one of its employees’ Jira accounts.
While some internal information, including screenshots of product dashboards and three customer names and purchase orders, was exfiltrated from its Confluence wiki, CloudSEK claims the attackers did not compromise its databases. data.
“We are investigating a targeted cyberattack on CloudSEK. An employee’s Jira password was compromised to access our confluence pages,” said company CEO and Founder Rahul Sasi. said tuesday.
Instead, using stolen Jira credentials, the threat actor could gain access to internal training and documents, Confluence pages, and open-source automation scripts attached to Jira.
Threat actor claims to have access to CloudSEK’s network
A threat actor named “sedut” is now trying to sell what he claims is access to CloudSek’s “networks, Xvigil, codebase, email, JIRA, and social media accounts” on several hacking forums.
They also leaked images containing information related to CloudSEK, including usernames and passwords for accounts used to scrape the Breached and XSS hacking forums, instructions on how to use various crawlers of websites, as well as screenshots showing CloudSEK’s database schema, CloudSEK’s dashboard, and order forms. .
The threat actor is now trying to sell the alleged CloudSEK database for $10,000 and the codebase and employee/engineer product documents for $8,000 each.
“All screenshots and alleged access shared by the threat actor can be traced back to JIRA issues and internal confluence pages,” Sasi added on Wednesday.
“Even the screenshots of Elastic DB, mySQL database schema, and XVigil/PX are from training materials stored on JIRA or Confluence.”
An unnamed cybersecurity team is the prime suspect
CloudSEK has already tightened its circle of suspects, and in an update to its blog post, Sasi claims another cybersecurity company known to track dark web developments may be behind the breach.
“We suspect a notorious cybersecurity company monitoring the dark web behind the attack,” the CEO of CloudSEK said.
“Offense and indicators point to an attacker with a notorious history of using similar tactics that we have seen in the past.”
BleepingComputer reached out earlier today for more information, but a company spokesperson declined to provide further details about the name of the cybersecurity team suspected of the CloudSEK breach.
“As soon as we became aware of a targeted attack against CloudSEK, we made the information public and in the spirit of transparency, we are updating all our findings on our blog post about it,” said the door. -word from CloudSEK to BleepingComputer on Wednesday.