CloudSEK

Cybersecurity Firm, CloudSEK, Reportedly Breached

Company Claims Breach Superficial, Client Data Secure

On Tuesday, December 6, 2022, Cyble Research & Intelligence Labs (CRIL) observed a Threat actor (TA) going by the moniker ‘sedut‘ claiming to have breached the Indian cybersecurity company CloudSek Info Security Pvt. Ltd. a.k.a CloudSEK on various cybercrime forums.

From the post, this appears to be a targeted attack on CloudSEK with the express intention of negatively impacting its reputation within the cyber threat intelligence community.

The TA claims to have multiple accesses and was openly advertising their sale on cybercrime forums. The offer includes VPN credentials, threat intelligence platform credentials, purchase orders, engineering products-related information, project-related databases, confidential source codes, sensitive infrastructure details, pre-sales information, and detailed clientele information.

The TA claimed to possess access to CloudSEK’s environment for a few months. To support their claims, the TA has also shared multiple screenshots and a video demonstrating their access to platforms and internal servers of the company.

Figure 1: TA’s initial leak post

As a response, CloudSEK was quick to initiate their own investigation and, within a few hours of the claims, announced the source of the leak was compromised session cookies of a JIRA user, thereby leading to an account takeover.

The company identified that an employee’s laptop that was sent for repairs was incidentally infected with Vidar stealer log malware, which stole the passwords and session cookies for accessing their Jira account between November 22-24, 2022.

CloudSEK’s assessment states that the TA responsible had gained access to the company’s Confluence servers and JIRA platform, Purchase Orders (PO) of three customers, Twitter and Facebook accounts to carry out takedown requests of their clients as well as client documents, product screenshots from JIRA, training, and internal documents in addition to VPN & endpoint IP addresses.

The company denies the TA’s claims of access to VPN credentials, customer data, and client and employee credentials and stated that the accesses implied by the TA in their post were derived from JIRA tickets and internal Confluence pages.

Threat Actor Claims

CRIL has investigated the claims and statements made by the TA, and the summary of their claims is as follows:

  1. Company’s End-User License Agreement.
  2. VPN IP address ranges and rebuked the company employees for storing their credentials on documents in their systems.
  3. Masked IP addresses of the VPN supporting company’s threat intelligence platform X Vigil, along with the redacted password.
  4. The masked IP address of the VPN hosting their asset detection platform, Be Vigil.
  5. Redacted IPs of the company’s Kubernetes cluster.
  6. Masked IP assigned to a staging database.
  7. Database Schema of X Vigil platform, which illustrates the backend structure of the company’s monitoring platform.
  8. Events Schema of the company’s database, describing the workflow of events.
  9. Exposed accounts used for scraping cybercrime forums which were identified from the JIRA workflow.
  10. The Elastic Search (ES) Dashboard showed the running status of Elastic Search servers along with their IP addresses and system usage.
  11. A Purchase Order received from one of its clients in India dated November 3, 2022.
  12. A FoamTree map, visualizing software components and documentation of the React-based JavaScript (JS) projects for the company’s products.
  13. Furthermore, TA touted that they had access to create client accounts in CloudSEK’s X Vigil platform and offered to do this for anyone contacting them on their email ID mentioned in the post for a price. The TA shared screenshots (shown below) demonstrating administrative access to the platform. However, these claims were refuted by CloudSEK during their investigation.
Figure 2: Client manager and dashboard

Figure 3: Adversary intelligence panel

  1. Posted a video alleging access to the staging platform through an employee’s desktop (SDET – Software Development Engineer in Test), showing their Google Chrome profile and various open tabs. Based on CloudSEK’s response, it is likely that the TA obtained this video from the internal documentation / Confluence access.
  1. The TA posted a list of companies provided with a Proof of Concept (POC) in a further attempt to substantiate their claims of access to client information.

Early Indicators of Threat against Threat Intelligence Organizations

Cyber Threat Intelligence companies have always been on the radar of Threat Actors. In August 2022, a forum administrator posted a thread to buy credentials to Cybersecurity threat intelligence platforms.

Figure 4: Post by forum admin looking to buy credentials to cyber threat intelligence platforms

In another instance from April 2022, we observed a Threat Actor selling credentials to the threat intelligence platform of the cybersecurity company Mandiant. The claims remain unsubstantiated in the absence of proof, as the TA later exited the forum.

Figure 5: TA selling alleged credentials of a cyber security company

Information from Open Sources

The TA’s username, ‘sedut’, is a Malay word for “inhale/take in.” The TA is possibly Malaysian or familiar with Malay culture.

The TA has made posts on Twitter, Instagram, and Facebook under the usernames “cloudsek_takedown,” “CloudsekXVigil,” “Aman Kr,” and “cloud.sek.75“.

As investigated by CloudSEK and indicated in their findings, some of the accounts appear to have no relation to CloudSEK or used to perform takedown action

Figure 6.1: Twitter account, which has the official CloudSEK branding
Figure 6.2: Twitter account, which has the official CloudSEK branding

The TA posted the same threads they had created on the forums on the social media accounts, tagging various news media and clients of CloudSEK. The implication of the username being “Cloudsek Takedowns” is that the TA is actively attempting to tarnish CloudSEK’s reputation.

CRIL tried to investigate previous antecedents of the TA sedut from their email account furnished in their post as the point of contact for selling the CloudSEK database.

Our preliminary analysis suggests possible ties to a Threat Actor previously active on RaidForums from October 2017 to February 2022. However, the same could not be confirmed and remains a matter of continued investigation.

Conclusion

The breach targeting CloudSEK reveals an alarming trend of Threat Actors taking their battle to the camps of the cyber security and threat intelligence community. The cat-and-mouse game between threat intelligence companies and cybercriminals has entered a new level wherein these actors are making nefarious attempts to tarnish their businesses’ brand image and reputation.

Recent Blogs

BATLoader-RATs-Stealers-OneNote

Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat Actors to deliver several malware families.

Read More »
Qakbot-Microsoft-OneNote

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.

Read More »
Scroll to Top