CircleCi has confirmed that this was a recently investigated security incident malware-Powered Grand Theft data.
The company announced the news in a blog entry (opens in new tab) It detailed what happened recently, what it did to minimize the damage, and how it plans to protect its users in the future.
The blog said that a high-privileged employee infected his laptop with token-stealing malware that gave the attackers keys to the kingdom.
Steal data for weeks
The malware apparently managed to run on the end point even though the device has an antivirus program installed. The attackers used the tool to steal session tokens that kept the employee logged in to some applications.
When a user signs into an app, even if they did so with a password and a multi-factor authentication (MFA) tool, some apps delete session tokens that allow users to stay signed into the app for extended periods of time . In other words, by stealing session tokens, the attackers effectively bypassed any MFA the company had in place.
After that, it was just a matter of accessing the right production systems to compromise sensitive data.
“Because the attacked employee was authorized to generate production access tokens as part of their regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and storage, including customer environment variables, tokens, and keys,” the blog notes.
The threat actors lingered on CircleCI’s infrastructure for approximately three weeks – from December 16, 2022 to January 4, 2023.
Even the fact that the stolen data was encrypted didn’t help much as the attackers also obtained encryption keys.
“We encourage customers who have yet to take steps to do so to prevent unauthorized access to third-party systems and stores,” the blog concluded.
CircleCi had asked its customers to rotate all secrets stored in its systems. “These can be stored in project environment variables or in contexts”.
Above: TechCrunch (opens in new tab)
