Employee device compromise, credentials led to CircleCI breach

CircleCI’s chief technology officer said malicious hackers infected one of their engineers’ laptops and stole elevated account privileges to breach the company’s systems and data late last year.

in the accident report published Late Friday, chief technology officer Ron Zuber said evidence of the hack, which was first disclosed on Jan. 4, 2023, dates back at least to Dec. 16, 2022, when an unauthorized actor hacked into a laptop and stole a batch of Two-factor authentication – credentials supported.

“Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee at a remote location and then escalate access to a subset of our production systems,” Zuber wrote.

The attacker used this access to steal data from “a subset of databases and stores, including client environment variables, tokens, and keys.” After it stole an unspecified amount of data and evaded detection by the company’s antivirus software, the actor moved on to broader reconnaissance activities on Dec. 19, before pulling up another batch of data on Dec. 22, including encryption keys needed to decrypt what was taken. .

Dan Lorink, founder and CEO of Chainguard, which bills itself as a software development platform with native supply chain security, said broad access developers must be forced into both on-premises systems and production environments, making it difficult for endpoint detection systems to discover. when they act maliciously.

“They are hardest to detect because developers usually have the most access to production but also require the most access to their local systems to perform their jobs, which makes most endpoint protection programs useless.” books on Twitter.

While it appears that only one employee’s account was hacked, Zuber stressed that the breach represented a “system-wide failure” and should not be placed at the feet of any individual.

He said that although the company is now confident that it has shut down the attack vector used in the initial settlement and the representative will no longer have access to CircleCI’s internal systems, they cannot guarantee that the stolen information will not be used to compromise customer systems. So far, they’re aware of “fewer than five” customers who have reported unauthorized access to third-party systems after the breach.

“If you store secrets on our platform during this time period, assume they have been accessed and take the recommended mitigation steps,” Zuber wrote. “We recommend that you investigate any suspicious activity in your system beginning on December 16, 2022 and ending on the date you completed the rotation of your secrets after our disclosure on January 4, 2023. Anything entered into the system after January 5, 2023 can be considered safe.”

Zuber said the company first received a report of suspicious GitHub OAuth activity from one of its customers on December 29. A day later, they determined that an unauthorized party had gained access, which led to a deeper investigation.

“While we are confident in the results of our internal investigation, we have engaged third-party cybersecurity professionals to assist in our investigation and validate our findings,” Zuber wrote. “Our findings to date are based on analyzes of our validators, network, and monitoring tools, as well as system logs and log analytics provided by our partners.”

In response to the discovery, Zuber said CircleCI closed employee access, restricted access to production environments to an “extremely small group” of employees to maintain operations, revoked all personal project API tokens and managed all GitHub OAuth tokens. He also said that the company intends to learn from the breach and has taken a number of other steps to improve its security operations.

They’ve also reached out to other third parties that have cloud or SaaS applications that integrate with CircleCI and could be affected by the compromise, including GitHub, AWS, Google Cloud, and Microsoft Azure. As previously SC Media mentionedMitiga researchers cautioned that the nature of the CircleCI platform and its integration with a customer’s cloud environment means that one compromise can easily compromise the other.

“As you use the Circle platform, you integrate the platform with other SaaS and Cloud providers your company uses. For each integration, you need to provide the CircleCI platform with authentication tokens and secrets,” Mitiga researchers Doron Karmi, Deror Czudnowski, Airel Szarf and Or Aspir wrote earlier. from this week. “When it comes to a security incident involving your CircleCI platform, not only will your CircleCI platform be at risk, [so are] All other SaaS platforms and cloud providers integrated with CircleCI… their secrets are stored in the CircleCI platform and can be used by the threat actor to expand their foothold.”

Circle reveal Earlier this week they were partnering with AWS to spin any potentially affected tokens, and the latest update reveals that they have also worked with software development provider Atlassian to spin BitBucket tokens.

The report provides a list of IP addresses, known VPN providers and data centers and other indicators of compromise associated with the threat actor.

Known IP addresses, VPN providers, and other indicators of compromise associated with the actor who violated CircleCI’s regulations. (Source: CircleCI)

Leave a Comment