CircleCI hackers grabbed customer tokens and keys, CTO admits, amid warning on SaaS secrets
Infiltrators dodged antivirus, stole encryption keys from a running process
CircleCI’s hackers managed to “access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys” the continuous integration company has admitted.
The company said in an incident report that the breach started after an engineer’s laptop was hit with malware (which eluded the company’s antivirus protections) that was used to “steal a valid, 2FA-backed SSO session.”
As they had “privileges to generate production access tokens as part of the employee’s regular duties” it was easy to escalate the attack. The CircleCI engineer’s machine was compromised on December 16, 2022. Data exfiltration took place on December 2022. The company did not react until January 4, 2023.
CircleCI hackers extracted encryption keys from a running process
Although “all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data” CircleCI admitted on January 14.
CircleCI did not say how it was first alerted to the breach but customers have said they saw attempts to abuse cloud credentials tokens that they had stored in CircleCI and which were flagged by their own systems.
CircleCI’s Chief Technology Officer (CTO) Rob Zuber said that since the incident “we have taken many steps since becoming aware of this attack, both to close the attack vector and add additional layers of security.”
These include:
- Added detection and blocking through our MDM and A/V solutions for the specific behaviors exhibited by the malware used in this attack.
- Restricted access to production environments to a very limited number of employees as we implement additional security measures.
See also: From C2 to C3, hackers get esoteric with exfiltration
These are both arguably shutting the stable door after the horse bolted with everybody’s data.
Zuber’s addendum that “we’re confident in our platform’s security, and we have no indication that any other employee’s device has been compromised” seems ill-advised after a comprehensive breach.
As researchers from security firm Mitiga have emphasised, “rotating” (a poor term, arguably; try “changing”) any and all secrets stored in CircleCI is not enough. Users will have to hunt for malicious actions in all of your integrated SaaS and cloud platforms to ensure you haven't been breached on these other platforms, as well.”
“While using CircleCI platform, you integrate the platform with other SaaS platforms and Cloud providers your company uses. Examples of such platforms include: GitHub, for enabling build triggers and GitHub Checks integration. Jira, for reporting the status of builds and deployments in CircleCI Projects. Kubernetes, for managing your Kubernetes Engine clusters and node pools. AWS, for building, testing and deploying the code on AWS resources. For each integration, you need to provide the CircleCI platform with authentication tokens and secrets.
"In the case of a security incident involving your CircleCI platform, not only is your CircleCI platform in danger, but so too are all of the other SaaS platforms and Cloud providers integrated with the CircleCI, as their secrets are stored within the CircleCI platform and can be used by a threat actor to expand foothold.”
Mitiga’s helpfully illustrated guidance is here.