Software development service CircleCI has revealed that a recently disclosed data breach was the result of information stealer malware being deployed on an engineer’s laptop.
How its infected?
According to CircleCI, the sophisticated attack occurred on December 16, and the malware evaded detection by its antivirus program.
The compromised employee account was used to generate production access tokens, which allowed the hackers to “access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys”.
Zuber claimed that although the exfiltrated data was encrypted, the attacker could potentially access it because the attacker extracted the encryption keys from a running process.
CircleCI Remediations
In addition to restricting access to production environments, CircleCI has added more authentication safeguards to block unauthorized access, even in cases where credentials are stolen.
- Use OIDC (OpenID Connect) tokens.
- Use the IP ranges feature to restrict inbound connections to systems to only known IP addresses.
- Connect the CircleCI platform to your own environments using runners, which include IP restrictions and IAM (Identity & Access Management).
- Contexts can be used to consolidate shared secrets and limit access to secrets to specific projects.
Several customers have already informed the company of unauthorized access to their systems.
Indicators of Compromise (IOCs)
IP Addresses:
- 178.249.214.10
- 89.36.78.75
- 89.36.78.109
- 89.36.78.135
- 178.249.214.25
- 72.18.132.58
- 188.68.229.52
- 111.90.149.55
Data Centers and VPN Providers:
- Datacamp Limited
- Globalaxs Quebec Noc
- Handy Networks, LLC
- Mullvad VPN
Malicious Files:
- /private/tmp/.svx856.log
- /private/tmp/.ptslog
- PTX-Player.dmg
- PTX.app
Domain:
- potrax[.]com
Check the audit logs on GitHub for commands that were not expected, like:
- repo.download_zip
Leave A Comment