CircleCi has confirmed that one of the security incidents it recently investigated was a malware-driven grand theft of data.
The company revealed the news in a statement blog post (opens in a new tab) This describes what happened recently, what it did to minimize damage, and how it plans to keep users safe in the future.
In the blog, the laptop of an employee with high privileges is said to have been infected with token-stealing malware that gave attackers keys to the kingdom.
data stolen for weeks
The malware apparently managed to run on the endpoint despite the device’s antivirus program. Attackers use the tool to obtain session tokens that allow employees to log into certain applications.
Some applications discard session tokens when users log into the application, even if they use passwords and multi-factor authentication (MFA) tools to log in, allowing users to remain logged into the application for an extended period of time. In other words, by stealing the session token, the attacker effectively bypasses any MFA put in place by the company.
After that, it’s just a matter of accessing the right production systems to compromise sensitive data.
“Because the targeted employees had access to generate production access tokens as part of the employees’ day-to-day duties, unauthorized third parties were able to access and exfiltrate data from a subset of the database and store, including customer environment variables, tokens, and keys,” blog notes.
From December 16, 2022 to January 4, 2023, the threat actor prowled around CircleCI’s infrastructure for approximately three weeks.
Even the fact that the stolen data was encrypted doesn’t help, since the attacker also got the encryption key.
“We encourage customers who have not already done so to prevent unauthorized access to third-party systems and stores,” the blog concluded.
CircleCi used to require its customers to rotate all secrets stored in their systems. “These may be stored in project environment variables or context”.
pass: technology crisis (opens in a new tab)
