CircleCi has confirmed that a recent security incident it was investigating was malware-based data theft.
The company revealed the news in blog post (opens in a new tab) which described what had happened recently, what he had done to minimize the damage, and how he planned to keep his users safe in the future.
It was reported on a blog that a high-privileged employee’s laptop was infected with token-stealing malware that gave the attackers the keys to the kingdom.
Data theft for weeks
The malware apparently managed to run on the endpoint even though the device had antivirus installed. The attackers used this tool to capture session tokens that kept the employee from logging into certain applications.
When a user logs into an app, even if they did so with a password and a multi-factor authentication (MFA) tool, some apps drop session tokens that allow users to stay logged into the app for extended periods of time. In other words, by stealing session tokens, the attackers successfully bypassed any MFA services set up by the company.
After that, it was just a matter of accessing the relevant production systems to compromise sensitive data.
“Since the designated employee was authorized to generate production access tokens as part of their normal duties, an unauthorized third party could access and exfiltrate data from a subset of databases and stores, including client environment variables, tokens and keys,” the blog notes.
The criminals were hanging around the CircleCI infrastructure for about three weeks – from December 16, 2022 to January 4, 2023.
It didn’t even help that the stolen data was encrypted, as the attackers also obtained the encryption keys.
“We encourage customers who have not yet taken action to do so to prevent unauthorized access to third-party systems and stores,” the blog concluded.
CircleCi has asked its customers to rotate any secrets stored in its systems. “These can be stored in project environment variables or in contexts.”
Through: TechCrunch (opens in a new tab)
