Cyber Security firm CloudSEK points fingers at rival over breach

CloudSEK was an Indian cybersecurity firm that fell prey to a by an unidentified threat actor.

CloudSEK’s post about the incident states that Rahul Sasi, the founder and CEO of CloudSEK, claimed the hacker stole credentials from one CloudSEK employee’s Jira accounts. Rahul also stated that the threat actor(s) had accessed the Confluence pages of the company by stealing the Jira password.

The hacker also accessed internal data, including and product dashboard screenshots. Schema Diagrams were also obtained from Confluence.

CloudSEK confirmed, as well that no server access or database access was compromised. The incident quickly became the subject of an investigation. Sasi suggested that another cyber security company with a track record for dark web activity could have been responsible.

We suspect that Dark Web monitoring is being carried out by a cyber security company. Both the attack and indicators point to an attacker who has a history of similar tactics that we’ve seen in the past.

Rahul Sasi

Hacker’s Claims

CloudSEK was alerted to the threat by Cyble Research & Intelligence Labs, (CRIL), on Tuesday 6th December. On Tuesday, cyber security specialists noticed a person using the nick “sedut” who claimed that he had breached CloudSEK Info Security Pvt Ltd. On multiple cybercrime forums, the actor claimed to have hacked into an Indian company.

Researchers at Cyble suspect that it was an attack on CloudSEK. The attacker was trying to damage the company’s image within the cyber threat intelligence community. The attacker claimed that Cyble researchers had access to multiple files and offered the data openly for purchase in the .

Data on sale:

1. Pre-sales info.
2. VPN credentials
3. Orders
4. Credentials for the company
5. Extensive clientele data.
6. Project-related databases.
7. Source codes confidential
8. Sensitive infrastructure details.
9. Data related to engineering products

The threat actor also claimed that he had been able to access CloudSEK’s ecosystem over several months. This claim was supported by multiple videos and screenshots that he shared, proving they were able to access the company’s servers.

The first image shows that the hacker leaked additional images, including usernames and passwords for accounts used to scrape the XSS hacking forums and directions on how to use different website crawlers.

This database can be purchased for 10,000 dollars, with the $8000 per file engineering/employee product data.

What was the Cause?

Sasi disclosed that the hacker had used Jira account credentials for access to internal documents, training files, and open-source automation scripts. Confluence pages were also accessed by the hacker.

CloudSEK confirmed that Jira’s user did not use SSO, but a password; his email was protected with 0_. The Jira password was not compromised, nor was the email account.

The company instead believes that the attacker compromised Jira’s session cookies, which allowed them to take control of the account. The attacker is still being investigated on how they obtained the session cookies.

Related News