DevOps platform CircleCI revealed on Friday that unidentified threat actors hacked a worker’s laptop and used malware to obtain their two-factor authentication-backed credentials to access the company’s systems and data a month earlier.
The “complex attack,” according to the CI/CD provider CircleCI, occurred on December 16, 2022, and the malware evaded detection by its anti malware.
According to Rob Zuber, chief technology officer at CircleCI, “the virus was able to conduct session cookie theft, enabling them to impersonate the targeted employee in a distant location and subsequently escalate access to a portion of our production systems.”
Further investigation into the security breach revealed that the unauthorised third party had abused the increased rights given to the targeted employee to steal data from a portion of its databases. Tokens, keys, and customer environment variables were included.
On December 19, 2022, the threat actor is thought to have conducted reconnaissance, which was followed by data exfiltration on December 22, 2022.
The third party “extracted encryption keys from a running process, enabling them to potentially access the encrypted data even if all the exfiltrated data was encrypted at rest,” Zuber added.
The development occurred a little over a week after CircleCI advised its users to rotate all of their secrets. The company said that this was necessary as a result of “suspicious GitHub OAuth activity” that was reported to them by one of its users on December 29, 2022.
The company said it worked with Atlassian to rotate all Bitbucket tokens, revoked Project API Tokens and Personal API Tokens, informed customers of potentially affected AWS tokens, and proactively took the step of rotating all GitHub OAuth tokens after learning that the customer’s OAuth token had been compromised.
In addition to restricting access to production settings, CircleCI said it has added new authentication safeguards to block unauthorised access even in cases where credentials are compromised.
It also intends to introduce alternatives for consumers to “adopt the latest and most advanced security technologies available” in order to prevent future attacks of this nature. It will also start periodic automatic OAuth token rotation for all clients.