Continuous integration and delivery platform CircleCI has confirmed that a data breach that occurred on January 4, 2023 was caused by an infostealer deployed on employee laptops.
“An unauthorized third party used malware deployed on CircleCI engineers’ laptops to [two-factor authentication] SSO based on 2FA [single sign-on] session. This machine he was compromised on December 16, 2022,” he wrote CircleCI on Friday.
by blog post According to CircleCI CTO Rob Zuber, the malware was not detected by the CircleCI antivirus program.
“Our research has shown that malware can perform session cookie theft, impersonating a target employee at a remote location and escalating access to a subset of production systems,” Zuber explained. increase.
The executive added that the targeted employee had the privilege to generate production access tokens, which could allow the attacker to access a subset of databases and stores to steal data.
“Although all the stolen data was encrypted at rest, a third party could have extracted the encryption key from the running process and could have accessed the encrypted data,” Zuber said. is warning you.
Despite the data breach, ongoing investigationthe CTO said that customers can now safely build using the CircleCI platform.
“Since becoming aware of this attack, we have taken many steps to close the attack vector and add an additional layer of security.”
This includes adding detection and blocking of techniques used by malware through the company’s MDM and A/V solutions.
CircleCI says it has restricted access to its production environment to a “very limited number” of employees. The company also reported that it has implemented additional security measures.
“We have added additional step-up authentication procedures and controls for employees who maintain access to our production environment.”
Zuber concluded that there was no way of knowing if a particular secret was used to gain unauthorized access to third-party systems.
“If you store secrets on the platform during this period, please assume they have been accessed and take the recommended mitigation.”
The blog post will come about two months later. Data Breach Affecting Dropbox Attackers impersonate CircleCI employees.
