Software development service CircleCI has revealed that a recently disclosed data breach was the result of information stealer malware being deployed on an engineer’s laptop.
The incident was initially disclosed on January 4, when CircleCI urged customers to rotate their secret keys.
In an updated incident report on Friday, the company said that it was initially alerted of suspicious activity on December 29, 2022, and that on December 31 it started rotating all GitHub OAuth tokens on behalf of its customers.
On January 4, 2023, CircleCI learned that malware deployed on an engineer’s laptop on December 16 was used to steal a 2FA-backed SSO session, which allowed the attackers to access the company’s internal systems.
“Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems,” the company said.
The compromised employee account was used to generate production access tokens, which allowed the hackers to “access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys”.
The attackers, CircleCI said, performed reconnaissance on December 19 and exfiltrated the sensitive information on December 22.
“Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” the company said.
To contain the breach, the company shut down all access for the compromised employee account, shut down production access to nearly all employees, rotated all potentially exposed production hosts, revoked all project API tokens, revoked all personal API tokens created prior to January 5, rotated all Bitbucket and GitHub OAuth tokens, and started notifying customers of the incident.
“We have taken many steps since becoming aware of this attack, both to close the attack vector and add additional layers of security,” CircleCI said.
According to the company, both “both the attack vector and the potential of a lingering corrupted host” were eliminated through the rotation of all production hosts.
Due to the sensitive nature of the exfiltrated information, all CircleCI customers should rotate SSH keys, OAuth tokens, project API tokens, and other secrets, and should investigate any suspicious activity observed after December 16.
“Because this incident involved the exfiltration of keys and tokens for third-party systems, there is no way for us to know if your secrets were used for unauthorized access to those third-party systems,” the company said. “At the time of publishing, fewer than 5 customers have informed us of unauthorized access to third-party systems as a result of this incident.”
Cloud monitoring service Datadog, one of the impacted CircleCI customers, announced late last week that it had identified an old RPM GNU Privacy Guard (GPG) private signing key that was compromised in the incident, along with its passphrase.
“As of January 12th, 2023, Datadog has no indication that the key was actually leaked or misused, but we are still taking the following actions out of an abundance of caution,” Datadog said.
Related: LastPass Says Password Vault Data Stolen in Data Breach
Related: Toyota Discloses Data Breach Impacting Source Code, Customer Email Addresses
Related: Microsoft Confirms Data Breach, But Claims Numbers Are Exaggerated
