Cloud security company Zscaler is continuing an investigation into an alleged breach after a threat actor started selling “access to one of the largest cyber security companies.” Zscaler released a statement on Friday reiterating: “There is no impact or compromise to our customer, production and corporate environments.” However, the saga continues.
On May 8th, 2024, the infamous threat actor under the alias IntelBroker claimed to have breached a cybersecurity company with a revenue of $1.8 billion. For a price of $20,000 in cryptocurrency, the threat actor offered “Confidential and highly critical logs packed with credentials,” SMTP Access, HAuth Pointer Auth Access SSL Passkeys & SSL Certificates, and others to “reputable members” on the illicit marketplace BreachForums.
IntelBroker has a track record of making claims related to confirmed breaches, but in this case, it did not specify the company.
Independent cybersecurity researchers suspected that the security company in question might be Zscaler. IntelBroker later stated that the company name begins with a Z.
Immediately after learning about the claims, Zscaler started an investigation, as they “take every potential threat and claim very seriously and will continue our rigorous investigation.”
Since then, Zscaler has released four updates, each reiterating that they haven’t discovered any evidence of incident or compromise on customer, production, or corporate environments.
“We continue to monitor the situation and will provide additional updates through the completion of the investigation,” the company’s last update said on Friday.
The firm admitted that the investigation only discovered an isolated test environment on a single server, which was exposed to the internet. It contained no customer data.
“The test environment was not hosted on Zscaler infrastructure and had no connectivity to Zscaler’s environments. The test environment was taken offline for forensic analysis,” the company said.
An employee at Zsacler also posted on Mastodon that any claims of a breach are “completely inaccurate and unfounded.”
However, the saga isn’t over yet.
IntelBroker, in an update, now claims it has sold the access to Zscaler, and “the buyer has confirmed that I’m allowed to show the access that has been used.”
The provided screenshots now mention Zscaler directly and include covered SMTP credentials, some code with network configuration details, logs that appear to be related to the Zscaler security products, including some configuration parameters, such as ports, IP addresses, paths, passwords, SSL certificates, etc.
IntelBroker stated that the access they sold is not a testing environment, and it doesn’t know “what they are talking about.”
Currently, all Zscaler Services are functional and online, the website states.
Zscaler’s share price has decreased by 3.1% over the last five days and is now trading at $171.96 per share.