Tuesday, July 16, 2024

Hackers Compromised CircleCI Employee’s Laptop to Breach the Company’s Systems

CircleCI, a DevOps platform, discovered that malware installed on a CircleCI engineer’s laptop was used by an unauthorized third party to steal a legitimate, 2FA-backed SSO session.

On December 16, 2022, this device was compromised. The company’s antivirus programme was unable to detect the malware.

“Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems”, according to the CircleCI incident report.

Reports say the unauthorized third party had access to and was able to exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys because the targeted employee had the authority to generate production access tokens as part of the employee’s regular duties.

On December 19, 2022, the threat actor is suspected to have conducted reconnaissance, which was followed by data exfiltration on December 22, 2022.

In order to potentially gain access to the encrypted data, the third-party extracted the encryption keys from a running process.

Additional Layers of Protection are Implemented

The company stated that additional detection and blocking of the specific behaviors displayed by the malware employed in this assault through MDM and A/V solutions are implemented. They have restricted access to production environments to a very small number of employees. 

Further, the company said implemented more stringent authentication rules and procedures to guard against potential unauthorized production access. A monitoring and alerting system were put in place for the specified behavioral patterns.

The change occurred a little over a week after CircleCI advised its users to rotate all of their secrets. The company said that this was necessary as a result of “suspicious GitHub OAuth behavior” that was reported to them by one of its users on December 29, 2022.

The company said it worked with Atlassian to rotate all Bitbucket tokens, revoked Project API Tokens, and Personal API Tokens, informed customers of potentially affected AWS tokens, and proactively took the step of rotating all GitHub OAuth tokens after learning that the customer’s OAuth token had been compromised.

How Can I Determine Whether Data Is At Risk?

“We recommend you investigate for suspicious activity in your system starting on December 16, 2022, and ending on the date you completed your secrets rotation after our disclosure on January 4, 2023. Anything entered into the system after January 5, 2023, can be considered secure”, says the report


  • Use OIDC tokens wherever possible to avoid storing long-lived credentials in CircleCI.
  • Use IP ranges to restrict inbound connections to just known IP addresses for your systems.
  • Contexts can be used to group shared secrets, limit access to them to certain projects, and cycle them automatically.
  • For privileged access and additional controls, choose to use runners, which allow you to connect the CircleCI platform to your own compute and environments, including IP restrictions and IAM management.

Network Security Checklist – Download Free E-Book


Latest articles

MirrorFace Attacking Organizations Exploiting Vulnerabilities In Internet-Facing Assets

MirrorFace threat actors have been targeting media, political organizations, and academic institutions since 2022,...

HardBit Ransomware Using Passphrase Protection To Evade Detection

In 2022, HardBit Ransomware emerged as version 4.0. Unlike typical ransomware groups, this ransomware...

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...

Hacktivist Groups Preparing for DDoS Attacks Targeting Paris Olympics

Cyble Research & Intelligence Labs (CRIL) researchers have identified a cyber threat targeting the...

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles