CircleCI suffers malware-powered hack with customer data stolen. A CircleCI employee with high privileges reportedly had their laptop system compromised.
CircleCI Suffers Malware-Powered Hack with Customer Data Stolen
Tech Company CircleCI has now confirmed to us that a recent security event that it has been investigating was malware-powered grand theft data. The firm revealed the development in a blog post that described what just took place, what it did to minimize and manage the damage, and how it plans on keeping its users and their data safe in the future.
It was said in the blog that an employee having high privileges has had their laptop infected with token-stealing malware which then gave the threat actors keys to the whole operation. The malware in question apparently managed to run on the endpoint despite the fact that the device had an antivirus program installed in it. The attackers then made use of the tool to access session tokens which then kept the employee logged in to some applications.
How the Threat Actors Stole Session Tokens
Whenever a user logs into an app, even if they logged in with a password and a multi-factor authentication (MFA) tool, most of the apps drop session tokens which then allow the user to remain logged in to it for longer periods of time. And by stealing session tokens, the attackers bypassed any MFA that the company had put in place effectively.
And after that had happened, it was simply a question of accessing the right production systems in a bid to compromise sensitive data.
“Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys,” the blog states.
The Threat Actors Were in CircleCI’s Infrastructure for Three Weeks
The threat actors in question stayed around the infrastructure of CircleCI for approximately three weeks starting from December 16, 2022, to January 4, 2023. And even the fact that the stolen data was encrypted, didn’t help much, as the attackers got encryption keys as well.
The Company’s Advice to Users on How to Stay Safe
“We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores,” finally, the blog concluded.
CircleCI had now asked its customers to make rotations on any and all of their secrets stored in its systems. “These may be stored in project environment variables or in contexts”.