CricleCi has been in limelight due to a recent breach it revealed that disclosed data breach was due to the presence of information stealer malware being deployed on an engineer’s laptop.
An incident report published about the cyber incident, first disclosed on Jan. 4, 2023, dates to at least Dec. 16, 2022, when an unauthorized actor compromised the laptop and stole a set of privileged, two-factor authentication-backed credentials.
The result of the investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.
The attacker then used that access to pilfer data from a subset of databases and stores, including customer environment variables, tokens, and keys. This was done by evading the traditional AV/EDR, then the actor shifted to broader reconnaissance activities on Dec. 19, before exfiltrating another batch of data on Dec. 22, including encryption keys needed to decrypt what was taken.
With the extensive access, developers must have to both internal systems, as well as production environments, it is difficult for endpoint detection systems to spot when they may be acting maliciously. These are difficult to detect because devs typically have the most production access but also require the most access to their local systems to do their jobs, rendering most endpoint protection software useless.
Even though CricleCi is confident that it has closed the attack vector used in the initial compromise and the actor no longer has access to internal CircleCi systems, they cannot guarantee that the stolen information wasn’t used to possibly compromise customer systems. The case we have recently seen in the LastPass breach, where attackers used the same attack path as earlier.
They have engaged third-party cyber security specialists to assist in our investigation and validate the findings based on analyses of our authentication, network, and monitoring tools, as well as system logs and log analyses provided by our partners.
In response to the discovery, CircleCi shut down the employee’s access, restricted access to production environments to an extremely small group of employees to maintain operations, revoked all project and personal API tokens, and rotated all GitHub OAuth tokens. He also said the company intends to learn from the breach and has taken several other steps to improve its security processes.
CircleCi disclosed earlier this week that they were partnering with AWS to rotate any potentially impacted tokens, and the newest update reveals that they also worked with software development provider Atlassian to rotate BitBucket tokens.