Home / Industry

DNS Insights behind the JumpCloud Supply Chain Attack

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

Even solutions meant to enhance security can sometimes fall prey to the best cyber attackers. That’s what happened to JumpCloud, a cloud-based directory service platform designed to centralize and simplify identity access management (IAM).

SentinelOne researchers analyzed the supply chain attacks and published 32 JumpCloud attack indicators of compromise (IoCs). WhoisXML API, in an effort to identify additional artifacts, if any, performed an IoC list expansion that uncovered:

  • 145 domains that shared some of the dedicated IP hosts identified as IoCs, one of which has been dubbed malicious based on a bulk malware check
  • 392 domains that contained the strings centos, datadog, and zscaler akin to some of the domains identified as IoCs

A sample of the additional artifacts obtained from our analysis is available for download from our website.

JumpCloud Supply Chain Attack IoC Facts

The SentinelOne JumpCloud supply chain attack analysis identified 13 domains and 19 IP addresses as IoCs.

As a first step, we subjected the 13 domains to a bulk WHOIS lookup, which revealed that:

  • The IoCs were distributed among three registrars. A majority of them, 11 domains to be exact, were administered by Namecheap. LaunchPad and PDR accounted for one IoC each.
  • A majority of the domains were relatively new, as 11 of them were created just this year. The remaining two were a little older, created in 2019 and 2020.
  • The domains identified as IoCs were registered in three countries—11 in Iceland and one each in Argentina and the U.S.

It’s also interesting to note that the website categorization lookup results for the domains identified as IoCs classified all 13 as malware sites.

Next, we performed a bulk IP geolocation lookup for the 19 IP addresses identified as IoCs and found that:

  • The IoCs were spread across six geolocation countries led by the U.S., which accounted for 10 countries. France came in second, accounting for three IP addresses. Canada and the Netherlands rounded out the top 3, each accounting for two IoCs each.
  • Four of the IP addresses were administered by OVH SAS. Fifteen ISPs—Amazon, ColoCrossing, DataCamp, DediPath, Hetzner, Hivelocity, M247, Network Solutions, Private Layer, QuadraNet, Sharktech, Sollutium, The Constant Company, The Optimal Link Corporation, and Unified Layers—managed one IoC each.

The following image compares the domain registrant and IP geolocation countries of the IoCs. Only the U.S. consistently appeared as a registrant and IP geolocation country although the number of IP addresses and domains didn’t match.

JumpCloud Supply Chain Attack IoC List Expansion Findings

We began our DNS deep dive with DNS lookups, which showed that only two of the domains identified as IoCs continued to resolve to one IP address each—toyourownbeat[.]com to 192[.]185[.]5[.]189 and primerosauxiliosperu[.]com to 162[.]241[.]248[.]14. These IP resolutions, however, were already part of SentinelOne’s IoC list.

Next, reverse IP lookups for the 19 IP addresses identified as IoCs revealed that eight of them were dedicated hosts, one was possibly dedicated, and another one was shared. Three didn’t have active resolutions.

Our search also showed that the nine dedicated and possibly dedicated IP hosts were shared by 145 other domains. One of them, now unreachable—npmaudit[.]com—was classified a malware host by a bulk malware check.

A closer look at the domains identified as IoCs allowed us to identify three unique strings—centos, datadog, and zscaler—that coincided with popular brand names shown in the table below.

STRINGASSOCIATED BRANDDESCRIPTION
centosCentOSCentOS is a discontinued free, open-source, and community-supported Linux computing platform functionally compatible with its upstream source—Red Hat Enterprise Linux.
datadogDatadogDatadog is an observability service for cloud-scale applications that enables server, database, tool, and service monitoring via a SaaS-based data analytics platform.
zscalerZscalerZscaler is a cloud security company headquartered in San Jose, California that offers enterprise cloud security services.

We used the above-mentioned strings as Domains & Subdomains Discovery search terms that led to the discovery of 392 domains.

While none of them were categorized as malicious after being subjected to a bulk malware check, many of them couldn’t be publicly attributed to the companies. We used the WHOIS record data points in the table below to determine domain ownership. Note that since Datadog’s WHOIS record didn’t indicate any readily identifiable WHOIS data point, we couldn’t make accurate record comparisons for it to determine brand-containing domain ownership.

STRINGCOMPANYOFFICIAL DOMAIN NAMEWHOIS RECORD DETAIL
centosCentOScentos[.]orgRegistrant organization:Red Hat, Inc.
zscalerZscalerzscaler[.]comRegistrant organization:Zscaler, Inc.

Our bulk WHOIS lookup and record comparison with the brand name owners’ official websites showed that 93% didn’t share the same WHOIS record data points, making them publicly unattributable to two of the legitimate companies left on our list. Many of the brand-containing domains could be owned by potential cybersquatters or even cyber attackers waiting for a chance to weaponize them.


Our IoC list expansion analysis for the JumpCloud supply chain attacks found that their perpetrators could have 145 IP-connected domains they could weaponize for future campaigns. It also revealed that threat actors could potentially utilize 189 look-alike domains for attacks zooming in on CentOS, Datadog, and Zscaler users or the solution developers themselves, especially since 93% of the centos- and zscaler-containing domains couldn’t be publicly attributed to the solutions developers.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global