Continuous integration and delivery platform CircleCI has confirmed that a data breach that occurred on January 04, 2023, was caused by an infostealer being deployed on an employee’s laptop.
“We have learned that an unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, [two-factor authentication] 2FA-backed SSO [single sign-on] session. This machine was compromised on December 16, 2022,” CircleCI wrote on Friday.
According to the blog post by CircleCI chief technology officer (CTO) Rob Zuber, the malware was not detected by the CircleCI antivirus program.
“Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems,” Zuber explained.
The executive added that because the targeted employee had privileges to generate production access tokens, the attacker was able to potentially access and steal data from a subset of databases and stores.
“Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” Zuber warned.
Despite the data breach and ongoing investigation, the CTO said that customers can now return to safely build using the CircleCI platform.
“We have taken many steps since becoming aware of this attack, both to close the attack vector and add additional layers of security.”
These include adding detection and blocking through the company’s MDM and A/V solutions for the techniques used by the malware.
CircleCI said it restricted production environment access to “a very limited number” of employees. The firm also reported it had implemented additional security measures.
“For the employees who retain production access, we have added additional step-up authentication steps and controls.”
Zuber concluded that there is no way for the company to know if specific secrets were used for unauthorized access to third-party systems.
“If you stored secrets on our platform during this time period, assume they have been accessed and take the recommended mitigation steps.”
The blog post comes roughly two months after a data breach impacted Dropbox with threat actors impersonating CircleCI employees.