DevOps platform CircleCI on Friday compromised the company’s systems and data last month after unidentified attackers compromised employee laptops and used malware to steal credentials backed by two-factor authentication. made it clear.
CI/CD service CircleCI said a “sophisticated attack” occurred on December 16, 2022, and the malware was not detected by the company’s antivirus software.
CircleCI CTO Rob Zuber said in the incident report:
Further analysis of the security blunders revealed that an unauthorized third party had stolen data from a subset of the database by abusing the elevated privileges granted to the targeted employee. This contained the customer’s environment variables, tokens, and keys.
The threat actor is believed to have conducted reconnaissance activities on December 19, 2022 and performed data exfiltration steps on December 22, 2022.
“Although all the stolen data was encrypted at rest, a third party could potentially extract the encryption key from the running process and access the encrypted data,” Zuber said. said.
The development comes just over a week after CircleCI urged customers to rotate all secrets after being warned by one of their customers about “suspicious GitHub OAuth activity” on December 29, 2022. I was.
Upon learning that a customer’s OAuth tokens had been compromised, the company said it took proactive steps to rotate all GitHub OAuth tokens, and worked with Atlassian to rotate all Bitbucket tokens and project API tokens. and revoked personal API tokens and notified customers. of AWS tokens that may be affected.
CircleCI says it’s incorporating more authentication guardrails to not only limit access to production environments, but to prevent unauthorized access even if credentials are stolen.
Additionally, we are introducing options for users to “adopt the latest and most advanced security features available”, as well as regular automatic OAuth token rotation to help all customers prevent such attacks in the future. I am planning to start.
