>
CircleCi has confirmed that a recent security incident it investigated involved malware-driven grand theft data.
The company announced the news in a blog post (opens in new tab) that described what happened recently, what it has done to minimize the damage, and how it plans to keep its users safe going forward.
The blog said that a high-privilege employee’s laptop was infected with token-stealing malware that gave the attackers keys to the kingdom.
Stealing data for weeks
The malware apparently managed to run on the endpoint despite having an antivirus installed on the device. The attackers used the tool to obtain session tokens that kept the employee logged in to some applications.
When a user logs in to an app, even if they did so with a password and a multi-factor authentication (MFA) tool, some apps drop session tokens that allow the users to stay logged in to the app for an extended period of time. In other words, by stealing session tokens, the attackers effectively bypassed any MFA the company had set up.
After that, it was just a matter of accessing the right production systems to compromise sensitive data.
Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and extract data from a subset of databases and stores, including environment variables, tokens and keys belonging to the customer. ” the blog notes.
The threat actors lingered around CircleCI’s infrastructure for approximately three weeks – from December 16, 2022 to January 4, 2023.
Even the fact that the stolen data was encrypted didn’t help much, as the attackers also obtained encryption keys.
“We encourage customers who have not yet taken action to do so to prevent unauthorized access to third-party systems and stores,” the blog concluded.
CircleCi had asked its customers to rotate all secrets stored in its systems. “These can be stored in project environment variables or in contexts”.
Through: TechCrunch (opens in new tab)