On Friday, DevOps platform CircleCI revealed that unidentified threat actors compromised an employee’s laptop and stole their two-factor authentication credentials to compromise the company’s systems and data.

CI/CD service CircleCI said the “sophisticated attack” occurred on December 16, 2022, and its antivirus software could not detect the malware.

According to CircleCI’s chief technology officer, Rob Zuber, the malware executed session cookie theft, allowing them to impersonate the targeted employee remotely and escalate access to a subset of production systems.

As a result of the security breach, an unauthorized third party stole data from a subset of the company’s databases by abusing elevated permissions granted to the targeted employee, including customer environment variables, tokens, and keys.

On December 19, 2022, the threat actor conducted surveillance, followed by data exfiltration on December 22, 2022.

Despite all data being encrypted at rest, the third-party extracted encryption keys from a running process, potentially allowing them to access encrypted data.

On December 29, 2022, CircleCI urged its customers to rotate all their secrets after it was alerted to “suspicious GitHub OAuth activity” by one of its customers.

Upon learning that the customer’s OAuth token had been compromised, the company took the proactive step of rotating all GitHub OAuth tokens, the company stated, adding Atlassian rotated all Bitbucket tokens, revoked Project API Tokens, and Personal API Tokens, and notified customers of potentially affected AWS tokens.

Aside from limiting access to production environments, CircleCI has added more authentication guardrails to prevent illegitimate access.

In addition, the company plans to implement periodic automatic OAuth token rotation for all customers to prevent such attacks in the future. It will also allow users to adopt the latest and most advanced security features.

Heimdal Official Logo

DNS Security for Dummies

Learn More

An eBook that gives a comprehensive role-based security approach and addresses the numerous dangers to the Domain Name Systems (DNS) as cyberattacks increase globally.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.  

What Is Malware? Definition, Types and Protection

All GitHub Users Will Need to Enable 2FA by the End of 2023

What Is Data Leakage?

What Is Online Impersonation?

What Is a Data Breach and How to Prevent It

Two-Factor Authentication Simplified: Security Keys Are Now the Only Twitter 2FA Method

Leave a Reply

Your email address will not be published. Required fields are marked *