In response to the rumors of a threat actor hacking and selling access to its systems, Zscaler said it has taken a “test environment” offline for analysis which was found to be exposed.
“Our investigation discovered an isolated test environment on a single server (without any customer data) which was exposed to the internet,” Zscaler confirmed in a May 8 update on Zscaler’s Trust site. “Zscaler can confirm there is no impact or compromise to iproduction,r, production and corporate environments.”
In an earlier post, the company said it had initiated an investigation immediately after learning of an X (formerly Twitter) post by a threat actor claiming to have potentially obtained unauthorized information.
“We take every potential threat and claim very seriously and will continue our rigorous investigation,” Scaler had added.
Zscaler initially dismissed rumors of an attack
A few hours earlier the company had dismissed the rumors saying internal investigations, until that time, had not shown any evidence that its customer or production environments were breached.
A Zscaler employee had also said on the Mastodon social media platform that the claims of breach of Zscaler systems were “completely inaccurate and unfounded”.
“We regularly see attempted attacks and rumors circulating, but it is crucial to rely only on official communications from Zscaler itself to get factual updates and information,” the employee had said.
The rumors started after the notorious Serbian threat actor named IntelBroker offered to sell access to a cybersecurity company with a revenue of $1.8 billion.
IntelBroker likely breached Zscaler
High profile hacker IntelBroker, in a dark web post on May 8, claimed the breach offering to sell access to “Confidential and highly critical logs packed with credentials, SMTP Access, PAuth Pointer Auth Access, SSL Passkeys & SSL Certificates.”
Immediately after IntelBroker posted claims of breach, connections were made to Zscaler as the company lists on ZoomInfo with a revenue of $1.8 billion.
Furthermore, a Mastodon user @DarkWebInformer had also confirmed that “Zscaler has been breached,” linking the attack to the IntelBroker claim. Cybersecurity news platform BleepingCoumputer also said it had seen a screenshot of the threat actor claiming it was Zscaler in the Breach Forums shoutbox.
Breach Forums is a revived version of the cybercrime site Raid Forums that IntelBroker and the threat group the actor affiliates to (CyberNiggers) use. IntelBroker is a prominent member of the group, specializing in initial access brokering, identifying and exploiting weaknesses in systems, and selling compromised access on the dark web. The hacker recently breached Space-Eyes, a geospatial intelligence firm, catering exclusively to the US government agencies. Previously, the threat actor has been linked to the breaches of the Colonial Pipeline, US Federal contractor Acuity, and General Electric.