Researchers believe the recently disclosed CircleCI security breach may also impact other cloud third-party applications. After the company issued a warning for users to rotate all secrets stored in CircleCI, researchers at Mitiga published a technical blog today which highlighted the potential repercussions of the incident for other SaaS and Cloud providers that interact with the platform.
Mitiga
Following a security breach that affected its customers, CircleCI -a cloud software development platform used by over 1 million developers – is sharing details of the incident and lessons learned. Furthermore, their security team is working to strengthen defenses against future attacks.
In mid-December, an engineering employee’s laptop was infected with malware. This allowed attackers to steal session tokens that allow users to log in to applications without having to reenter their passwords or use two-factor authentication each time they want access the application. This enabled the intruders to impersonate the engineer and gain access to a subset of CircleCI production systems containing customer data.
Due to the compromised employee’s regular privilege of generating production access tokens (like many engineers), hackers were able to escalate their access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens and keys – even though these keys were encrypted at rest and not accessible by CircleCI.
Following this recent breach, the company has restricted access to its production environments to a select few employees and is taking measures to strengthen security measures. Furthermore, it urges any users who have production environment access to take action in order to prevent unauthorized third-party access to their systems.
The CircleCI breach illustrates the limitations of traditional application security tools, showing that they do not guarantee 100% coverage of software supply chains. As a result, security teams need to have a seat at the table and collaborate with DevOps and DevSecOps teams in order to safeguard their software supply chains.
Slack
Slack is a cloud-based messaging platform that integrates multiple software tools and apps to simplify communication. Additionally, it has integrations with data loss prevention providers (DLP) providers so sensitive information does not leave the company.
Slack provides a searchable history of all conversations to quickly locate messages, direct messages and channels. Furthermore, Slack provides security features to help manage data and meet compliance standards.
CircleCI, a popular cloud-based continuous integration (CI) and deployment (CD) platform with customers numbering in the tens of thousands, recently experienced an extensive security breach that underscores the significance of two-factor authentication (2FA). An attacker used malware on an engineer’s laptop to steal a genuine 2FA session cookie that allowed them to impersonate an employee remotely. This attack then spread into some subset of CircleCI production systems which store customer data.
In mid-December, malware was installed on an engineering employee’s laptop but went undetected by antivirus software. This allowed hackers to use stolen session tokens to access a subset of CircleCI’s systems – including customer environment variables, API keys and tokens – without permission from the company.
After the incident, CircleCI issued a reminder to its users to rotate all secrets stored on its platform – including SSH keys, API tokens, user and project environment variables, as well as context variables. Furthermore, it suggested they add extra layers of protection to their CI/CD pipelines by using OAuth tokens, environment variables, and contexts instead of storing long-lived credentials directly within CircleCI’s platform.
Researchers believe the recent CircleCI security breach may extend to other cloud third-party applications whose credentials and secret are integrated with CircleCI. Thus, companies must proactively identify any SaaS or Cloud platforms that have been adversely impacted by this incident.
Github
CircleCI is a continuous integration and delivery (CI/CD) platform that automates software development and code deployment. With tens of thousands of customers worldwide, companies such as Google, Peloton and Asana use it to simplify the process of building and releasing new versions of their products quickly.
Its GitHub website enables users to quickly review code changes and receive constructive criticism before it is merged into master. Furthermore, the company provides a mobile version of the app which enables code review while on-the-go.
In the recent breach, a user’s session token was stolen and attackers gained access to some of CircleCI’s production systems. Furthermore, hackers stole encrypted data along with its decryption keys.
The attack began when a CircleCI employee downloaded malware onto their Mac laptop that accessed PTX files, transcript file formats widely used by universities and other organizations to store electronic transcripts. These PTX files can contain text, images and video which may be shared among multiple individuals.
According to CircleCI’s post-mortem investigation, malware had infiltrated the computer and was waiting for an employee to open a PTX document before downloading it. Once identified, CircleCI immediately blocked the device and revoked its access rights.
CircleCI has now issued a recommendation to its customers: rotate all secrets stored in the system, including OAuth tokens, project API tokens, environment variables and context variables as well as user API tokens. Furthermore, OIDC tokens should be stored instead of long-lived credentials, IP ranges should be used to restrict connections to known IP addresses should shared environment variables across projects be automatically rotated via API call.
AWS
Amazon Web Services (AWS) is a cloud computing platform that gives companies the freedom to pay only for the resources they use. Additionally, AWS allows them to quickly scale infrastructure up or down according to demand.
Services provided by DNS include servers, storage, databases and other applications. These can be utilized for anything from simple website traffic to complex business-critical applications.
AWS operates data centers in multiple regions around the world and uses availability zones (AZs) to guarantee each region can support customers’ requirements regardless of distance. These AZs are isolated and highly secure for high performance and reliability.
The company has earned a reputation for being one of the most dependable cloud providers, and it remains as the largest in this space. Furthermore, it provides numerous tools to IT organizations for monitoring their cloud environments and applications that run on them.
Therefore, organizations should make sure they have the necessary security measures in place. This includes monitoring cloud-based applications with AWS security tools and software.
Security Hub for AWS subscribers offers a central hub to collect data and security alerts from various AWS security products. With the application, users can capture events, prioritize them, and create workflows to automatically respond to threats.
The CircleCI breach serves as a stark reminder of how vulnerable cloud third-party applications can be to security risks. It serves as an urgent wakeup call to all CI/CD vendors and their customers alike.
GCP
Google Cloud Platform (GCP) is an infrastructure for hosting and deploying applications. It provides a range of services, such as storage & databases, compute, networking that can be managed across multiple zones or regions.
GCP customers pay for their resources on a per-minute basis, rather than leasing physical servers. Plus, GCP specializes in high-end computing offerings like machine learning and big data processing.
CircleCI, a popular CI/CD tool with tens of thousands of users, assists developers in building, testing and deploying software. Unfortunately, it was recently breached by hackers who stole credentials from an engineer.
In the incident, a threat actor infected an engineer’s laptop with malware and gained access to his two-factor authentication (2FA)-backed single sign-on (SSO) session. This granted them access to some of CircleCI’s production systems. The attackers then exfiltrated data from several databases and stores at CircleCI – including customer environment variables, tokens, and keys – without detection.
On December 22, 2022, an attack occurred. All data exfiltrated was encrypted at rest; however, the attacker was able to extract encryption keys from a running process, giving them potential access to the information.
In response to the incident, CircleCI informed its customers and urged them to “immediately rotate any and all secrets.” They also encouraged users to take extra security precautions; for instance, adding more authentication guardrails which prevent illegitimate access even when credentials are stolen; revoking project and personal API tokens as well as rotating all GitHub OAuth tokens; furthermore, encouraging users to limit their access to production environments.
