CircleCi has confirmed that a recent security incident it has been investigating was malware-powered grand theft data.
In the blog, it was said that an employee with high privileges has had their laptop infected with token-stealing malware which gave the attackers keys to the kingdom.
Stealing data for weeks
The malware apparently managed to run on the endpoint despite the device having an antivirus program installed. The attackers used the tool to grab session tokens which kept the employee logged in to some applications.
When a user logs into an app, even if they did so with a password and a multi-factor authentication (MFA) tool, some apps drop session tokens which allow the users to remain logged into the app for prolonged periods of time. In other words, by stealing session tokens, the attackers effectively bypassed any MFA the company had set up.
After that, it was only a question of accessing the right production systems in order to compromise sensitive data.
“Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys,” the blog notes.
The threat actors lingered around CircleCI’s infrastructure for roughly three weeks – from December 16, 2022, to January 4, 2023.
Even the fact that the stolen data was encrypted didn’t help much, as the attackers obtained encryption keys, too.
“We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores,” the blog concluded.
CircleCi had asked its customers to rotate any and all secrets stored in its systems. “These may be stored in project environment variables or in contexts”.
- Check out the best firewalls today