Company Claims Breach Superficial, Client Data Secure
On Tuesday, December 6, 2022, Cyble Research & Intelligence Labs (CRIL) observed a Threat actor (TA) going by the moniker ‘sedut‘ claiming to have breached the Indian cybersecurity company CloudSek Info Security Pvt. Ltd. a.k.a CloudSEK on various cybercrime forums.
From the post, this appears to be a targeted attack on CloudSEK with the express intention of negatively impacting its reputation within the cyber threat intelligence community.
The TA claims to have multiple accesses and was openly advertising their sale on cybercrime forums. The offer includes VPN credentials, threat intelligence platform credentials, purchase orders, engineering products-related information, project-related databases, confidential source codes, sensitive infrastructure details, pre-sales information, and detailed clientele information.
The TA claimed to possess access to CloudSEK’s environment for a few months. To support their claims, the TA has also shared multiple screenshots and a video demonstrating their access to platforms and internal servers of the company.
As a response, CloudSEK was quick to initiate their own investigation and, within a few hours of the claims, announced the source of the leak was compromised session cookies of a JIRA user, thereby leading to an account takeover.
The company identified that an employee’s laptop that was sent for repairs was incidentally infected with Vidar stealer log malware, which stole the passwords and session cookies for accessing their Jira account between November 22-24, 2022.
CloudSEK’s assessment states that the TA responsible had gained access to the company’s Confluence servers and JIRA platform, Purchase Orders (PO) of three customers, Twitter and Facebook accounts to carry out takedown requests of their clients as well as client documents, product screenshots from JIRA, training, and internal documents in addition to VPN & endpoint IP addresses.
The company denies the TA’s claims of access to VPN credentials, customer data, and client and employee credentials and stated that the accesses implied by the TA in their post were derived from JIRA tickets and internal Confluence pages.
Threat Actor Claims
CRIL has investigated the claims and statements made by the TA, and the summary of their claims is as follows:
- Company’s End-User License Agreement.
- VPN IP address ranges and rebuked the company employees for storing their credentials on documents in their systems.
- Masked IP addresses of the VPN supporting company’s threat intelligence platform X Vigil, along with the redacted password.
- The masked IP address of the VPN hosting their asset detection platform, Be Vigil.
- Redacted IPs of the company’s Kubernetes cluster.
- Masked IP assigned to a staging database.
- Database Schema of X Vigil platform, which illustrates the backend structure of the company’s monitoring platform.
- Events Schema of the company’s database, describing the workflow of events.
- Exposed accounts used for scraping cybercrime forums which were identified from the JIRA workflow.
- The Elastic Search (ES) Dashboard showed the running status of Elastic Search servers along with their IP addresses and system usage.
- A Purchase Order received from one of its clients in India dated November 3, 2022.
- Furthermore, TA touted that they had access to create client accounts in CloudSEK’s X Vigil platform and offered to do this for anyone contacting them on their email ID mentioned in the post for a price. The TA shared screenshots (shown below) demonstrating administrative access to the platform. However, these claims were refuted by CloudSEK during their investigation.
- Posted a video alleging access to the staging platform through an employee’s desktop (SDET – Software Development Engineer in Test), showing their Google Chrome profile and various open tabs. Based on CloudSEK’s response, it is likely that the TA obtained this video from the internal documentation / Confluence access.
- The TA posted a list of companies provided with a Proof of Concept (POC) in a further attempt to substantiate their claims of access to client information.
Early Indicators of Threat against Threat Intelligence Organizations
Cyber Threat Intelligence companies have always been on the radar of Threat Actors. In August 2022, a forum administrator posted a thread to buy credentials to Cybersecurity threat intelligence platforms.
In another instance from April 2022, we observed a Threat Actor selling credentials to the threat intelligence platform of the cybersecurity company Mandiant. The claims remain unsubstantiated in the absence of proof, as the TA later exited the forum.
Information from Open Sources
The TA’s username, ‘sedut’, is a Malay word for “inhale/take in.” The TA is possibly Malaysian or familiar with Malay culture.
The TA has made posts on Twitter, Instagram, and Facebook under the usernames “cloudsek_takedown,” “CloudsekXVigil,” “Aman Kr,” and “cloud.sek.75“.
As investigated by CloudSEK and indicated in their findings, some of the accounts appear to have no relation to CloudSEK or used to perform takedown action
The TA posted the same threads they had created on the forums on the social media accounts, tagging various news media and clients of CloudSEK. The implication of the username being “Cloudsek Takedowns” is that the TA is actively attempting to tarnish CloudSEK’s reputation.
CRIL tried to investigate previous antecedents of the TA sedut from their email account furnished in their post as the point of contact for selling the CloudSEK database.
Our preliminary analysis suggests possible ties to a Threat Actor previously active on RaidForums from October 2017 to February 2022. However, the same could not be confirmed and remains a matter of continued investigation.
The breach targeting CloudSEK reveals an alarming trend of Threat Actors taking their battle to the camps of the cyber security and threat intelligence community. The cat-and-mouse game between threat intelligence companies and cybercriminals has entered a new level wherein these actors are making nefarious attempts to tarnish their businesses’ brand image and reputation.