SOCRadar® Cyber Intelligence Inc. | Attackers Infected a CircleCI Employee with Malware to Steal Customer Session Tokens
Home

Resources

Blog
Oca 16, 2023
4 Mins Read

Attackers Infected a CircleCI Employee with Malware to Steal Customer Session Tokens

Software provider CircleCI confirmed that a data breach in December resulted in the theft of some of its customers’ sensitive information.

The breach occurred after an employee’s computer was infected with data-stealing malware, which allowed access to the company’s internal systems. Attackers could steal an employee’s 2FA-backed SSO session cookies and move further. 

How Did It Happen? 

Security researchers thought that the attackers conducted reconnaissance on December 19, 2022, which was followed by data exfiltration on December 22. 

According to CircleCI, the sophisticated attack occurred on December 16, and the malware evaded detection by its antivirus program. 

Rob Zuber, chief technology officer at CircleCI, wrote in an incident report that the malware could carry out session cookie theft, allowing the attackers to pose as the targeted employee from a distance and escalate access to a subset of production systems. 

Upon further investigation, it was discovered that the unauthorized attacker had stolen information by abusing the elevated permissions given to the targeted employee and stealing data from a part of its databases. The variables, tokens, and keys related to the customer’s environment were included in the stolen data. 

Zuber claimed that although the exfiltrated data was encrypted, the attacker could potentially access it because the attacker extracted the encryption keys from a running process. 

CircleCI Takes Additional Precautions

CircleCI collaborated with Atlassian to rotate all Bitbucket tokens, revoked Project API Tokens and Personal API Tokens, and informed customers of potentially affected AWS tokens.

When the company discovered that the customers’ OAuth token had been compromised, it took the proactive step of rotating all GitHub OAuth tokens, and it later stated that it would implement periodic automatic OAuth token rotation to prevent a similar incident from occurring again. 

In addition to restricting access to production environments, CircleCI has added more authentication safeguards to block unauthorized access, even in cases where credentials are stolen. 

Recommendations 

CircleCI customers are advised to rotate all their secrets, including OAuth and Project API tokens and SSH keys. They are also advised to investigate for suspicious activity starting on December 16, 2022, until January 4, 2023.

Other recommendations by CircleCI are listed below: 

  • To not store long-lasting credentials, use OIDC (OpenID Connect) tokens. 
  • Use the IP ranges feature to restrict inbound connections to systems to only known IP addresses. 
  • Connect the CircleCI platform to your own environments using runners, which include IP restrictions and IAM (Identity & Access Management). 
  • Contexts can be used to consolidate shared secrets and limit access to secrets to specific projects. 

Indicators of Compromise (IOCs) 

IP Addresses: 

  • 178.249.214.10 
  • 89.36.78.75 
  • 89.36.78.109 
  • 89.36.78.135 
  • 178.249.214.25 
  • 72.18.132.58 
  • 188.68.229.52 
  • 111.90.149.55 

Data Centers and VPN Providers: 

  • Datacamp Limited 
  • Globalaxs Quebec Noc 
  • Handy Networks, LLC 
  • Mullvad VPN 

Malicious Files: 

  • /private/tmp/.svx856.log 
  • /private/tmp/.ptslog 
  • PTX-Player.dmg
  • PTX.app 

Domain: 

  • potrax[.]com 

Check the audit logs on GitHub for commands that were not expected, like: 

  • repo.download_zip 

Monitor the Dark Web for Data Exposure

SOCRadar Dark Web Monitoring

You can use SOCRadar to defend yourself against these kinds of incidents. To protect your company from external cyber threats, we offer you a platform for monitoring unwanted exposure. 

SOCRadar is an early warning system that allows businesses to find out whether employee email addresses, credit card numbers or user login information for customers have been compromised.