CircleCi confirmed that the latest security incident it was investigating was a massive data theft supported by malware.
The company revealed the news in a blog post that described what happened recently, what it did to minimize the damage, and how it plans to keep its users safe in the future.
It was said in the blog that a highly privileged employee had his laptop infected with token-stealing malware that gave attackers keys to the kingdom.
Weeks of data theft
It appears that the malware was able to run on the endpoint even though antivirus software was installed on the device. The attackers used the tool to obtain session tokens that kept an employee logged into some applications.
When a user signs into an application, even if they do so with a password and a multi-factor authenticator (MFA), some applications drop session tokens that allow users to remain signed into the application for extended periods of time. In other words, by stealing the session tokens, the attackers effectively bypassed any MFA that the company had created.
Then, it was just a matter of getting into the right production systems in order to put sensitive data at risk.
“Because the target employee had privileges to create production access tokens as part of the employee’s normal duties, the unauthorized third party was able to access and pull data from a subset of databases and stores, including client environment variables, tokens, and keys,” the blog notes.
These threat actors have been around CircleCI’s infrastructure for about three weeks – from December 16, 2022 to January 4, 2023.
> CircleCI tells users to transfer their secrets after a security alert
> GitHub accounts are being hijacked by fake CircleCI accounts
> These are the best identity theft protection tools out there right now
Even the fact that the stolen data was encrypted didn’t help much, as the attackers got hold of the encryption keys, too.
“We encourage customers who have not yet taken action to do so in order to prevent unauthorized access to third party systems and stores,” the blog concluded.
CircleCi asked its customers to take turns over any and all secrets stored in their systems. They can be stored in project environment variables or in contexts.
- Check out the best firewalls today