Uncovered Connection: Malware discovered on an engineer's laptop by CircleCI leads to a broader security incident
In a recent security incident, CircleCI, a popular continuous integration and continuous delivery (CI/CD) platform, experienced an unauthorised breach by a third-party. The details of the unidentified third-party remain undisclosed.
The incident occurred when an engineer at CircleCI, who had privileges to generate production access tokens, inadvertently allowed the third-party to exfiltrate data from a subset of databases and stores. The stolen data included customer environment variables, tokens, and keys.
The compromised data also included encryption keys, potentially granting the third-party access to encrypted data. The malware used in the breach allowed the third-party to execute session cookie theft, impersonate the engineer, and gain access to a subset of CircleCI's production systems.
CircleCI's technology stack is currently under scrutiny from corporate stakeholders, who are seeking to better understand the risk calculus, specifically the question of whether they are a target. In response to the incident, CircleCI has taken several measures to bolster its security.
From December 16 to 31, 2021, CircleCI implemented Mobile Device Management (MDM) and antivirus solutions specifically targeting the behaviour of the external actor. They also enhanced monitoring, tightened access controls, and updated security policies to improve platform security.
In addition, CircleCI added authentication requirements and restricted access to its production environment to a limited number of employees. The company also decided to rotate all GitHub OAuth tokens on behalf of customers on Dec. 31.
CircleCI emphasised in their report that the incident was not due to the actions of any one person, but a collective failure of various systems. They have not yet announced any specific actions taken to prevent similar incidents in the future.
Customers should check for any suspicious behaviour starting from Dec.16. As of now, less than five customers have reported unauthorised access to third-party systems as a result of the incident. Despite the breach, CircleCI maintains that the platform is safe for customers to continue working.
The security incident at CircleCI, disclosed earlier this month, serves as a stark reminder of the importance of robust security measures and the need for continuous monitoring and updates to protect against such breaches. CircleCI urges all its users to stay vigilant and report any suspicious activities promptly.
