Hackers Compromised CircleCI Engineer’s Laptop to Gain Elevated Privileges

CircleCI has disclosed that a laptop belonging to one of its engineers was compromised in mid-December. The attackers used data-stealing malware that allowed them to obtain elevated privileges within CircleCI’s systems. CircleCI became aware of suspicious activity on December 29, conducted an investigation, and disclosed the breach on January 4.

Note

• I appreciate CircleCI being transparent and helping us all learn. When using CI/CD tools, there is no way around entrusting them with some form of credentials. Make sure to keep those credentials ephemeral and rotate them frequently.
• Good example of a targeted attack that went after an employee with privileges to generate production access tokens. The CircleCI actions taken also point out the risks of too many employees being given production access and the risks that SSO approaches bring, even when multifactor authentication is used for initial authentication.
• Well done to CircleCI for being so transparent in their incident report. This is a great reminder that security has to be seen as a holistic challenge rather than focusing on just one area within an organization. Too often I see companies thinking that their production systems in the cloud are secure and therefore they need not worry as much about other parts of their infrastructure, in particular the end points. You need to identify every possible route a compromise can take and secure it accordingly. I will be keeping this report to hand for future client engagements who tell me they don’t need to worry about their developers’ devices as the production environment is secure.
• Kudos to CircleCI for their transparency. Be aware of your “weakest links.” While there is no such thing as perfect security, it is possible to implement many measures to reduce risks, to include modern EDR, MFA, MDM, and logging. With the change of the perimeter, due to efforts such as Cloud and ZTA, make sure that endpoints are hardened and defenses enabled. Where you are using long lived credentials, make sure that you can rapidly change them in the event of a breach. Verify controls are in place, and are not bypassed, regularly.
• Theft of user credentials, especially elevated privileges, is the ‘holy grail’ for cyber criminals. It allows easy system access and with elevated privileges, ease in traversing the enterprise. Interestingly, both multi-factor authentication (MFA) and data encryption defenses were employed by CircleCI but were ultimately compromised. This indicates that the adversary was highly skilled to both bypass the additional authentication method and separately, recover ‘running’ encryption keys. Organizations should revisit their configuration of MFA to protect against credential harvesting attacks.

Read more in

• CircleCI incident report for January 4, 2023 security incident