Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CircleCI. Show all posts

After a Security Incident, CircleCI Urges Customers to Rotate Secrets

 


There has been a security threat affecting CircleCI, an American software development service, and the service has urged its users to rotate their secrets to avoid this kind of catastrophe. 

Security Issue Alerts for CircleCI Users

It has recently been announced that the American DevOps platform CircleCI is urging its users after a security incident to rotate their secrets. CircleCI is one of the most popular CI/CD platforms today, providing developers with continuous integration and delivery, enabling them to create code more quickly. A million people use this tool each year, and thousands of companies rely on it for their business. However, in the wake of this security breach, they have been warned. 

Rob Zuber, the Chief Technology Officer of CircleCI, has stated on the CircleCI blog that all secrets stored in CircleCI should be rotated immediately. This includes variables in the project environment variables and contexts that may contain cryptographic information. This issue was also addressed by CircleCI on Twitter, warning customers to take precautions. 

CircleCI assured its users that building applications with CircleCI was safe and that the company offered a secure platform. 

Besides sharing tools intended to assist teams in tracking down all the potentially compromised secrets, CircleCI has also announced it is working with Amazon Web Services to notify those customers who might have their tokens breached. 

Earlier, CircleCI warned customers regarding the circulation of a credential harvesting scam. This scam was attempting to trick users into entering their GitHub login credentials through what was presented as updated Terms of Service. 

Zuber mentioned in a blog that it would be wise for customers from December 21, 2022, to January 4, 2023, to review their internal logs for their systems and ensure that no unauthorized access was made to them. A further point that Zuber brought up was that all API tokens associated with Projects have been invalidated, and as a result, users will have to replace them. 

Details on CircleCI Security Incident Not Provided

It is imperative to note that CircleCI has notified users of a security issue. It has offered advice on how to protect data. However, further details have yet to be released about what the problem is and what it entails. Despite this, as Rob Zuber stated in the blog post he wrote about CircleCI, it appears that the company intends to provide more details about the incident shortly. 

CircleCI Security Incidents Are Not New

CircleCI has dealt with breaches that have occurred in the past, although it is not clear what the details of the incident were. A breach occurred in 2019 when a third-party analytics vendor gained access to sensitive data through the infiltration of the company's network. 

Furthermore, an attacker gained access to several usernames, email addresses, branch names, repository URLs, and IP addresses that can be used as attack credentials. According to the company, users were warned to review their repository and branch names when the issue occurred.

LastPass, Okta, and Slack: Threat Actors Switch to Targeting Core Enterprise Tools


In the beginning of year 2023, CircleCI, a development-pipeline service provider cautioned online users of a security breach, advising companies to take immediate action on the issue by changing the passwords, SSH keys, and other secrets stored on or managed by the platform. 

The security attack on the DevOps services left the organization scrambling in order to assess the extent of the breach, restrict attackers' access to alter software projects and identify which development secrets had been compromised. The company updated configuration settings, rotated authentication tokens, worked with other providers to expire keys, and investigated the situation. 

The company states in an advisory last week, "At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well." 

In the past year, identity services like Okta and LastPass have acknowledged system vulnerabilities, and developer-focused services like Slack and GitHub have reacted quickly to successful attacks on their infrastructure and source code. 

According to Lori MacVittie, a renowned engineer and evangelist at cloud security firm F5, the series of attacks on fundamental enterprise tools reflects the fact that organization should anticipate these types of providers turning into frequent targets in the future. 

"As we rely more on services and software to automate everything from the development build to testing to deployment, these services become an attractive attack surface […] We don't think of them as applications that attackers will focus on, but they are," she says. 

Identity & Developer Services Vulnerable to Cyberattacks 

Lately, threat actors have targeted two major categories of services, i.e. identity and access management systems, and developer and application infrastructure. Both of the given services support the critical components of enterprise infrastructure. 

According to Ben Smith, CTO at NetWitness, a detection and response firm, identity is the glue that supports the organizations’ interface in every way, along with connecting the companies to their partners and customers. 

"It doesn't matter what product, what platform, you are leveraging, adversaries have recognized that the only thing better than an organization that specializes in authentication is an organization that specializes on authentication for other customers," says Smith. 

Meanwhile, developer services and tools have developed into yet another frequently attacked enterprise service. For example, a threat actor accessed the Rockstar Games creators' Slack channel in September and downloaded videos, pictures, and game codes from the upcoming Grand Theft Auto 6 Title. In regards to this, Slack says "a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository." 

Since identity and developer services enable access to a wide range of corporate assets, from application services to operations to source code, compromising these services can be a ‘skeleton key' to the rest of the company, adds Smith. "They are very very attractive targets, which represent low-hanging fruit […] These are classic supply chain attacks — a plumbing attack because the plumbing is not something that is visible on a daily basis."

Protect Yourselves by Managing Secrets Wisely, Establish Playbooks 

In order to administer cyber-defense, one of the tactics suggested by Ben Lincoln, managing senior consultant at Bishop Fox, is to organize a comprehensive management of secrets. Companies should be able to “push the button” and rotate all necessary passwords, keys, and sensitive configurations. 

"You need to limit exposure, but if there is a breach, you hopefully have a push button to rotate all those credentials immediately," Smith further says. "Companies should plan extensively in advance and have a process ready to go if the worst thing happens." 

Organizations can also deceive intruders using traps. Security teams can receive a high-fidelity warning that attackers might be on their network or using a service by employing various honeypot-like tactics. Credential canaries—fake accounts and credentials—help identify when threat actors have access to critical assets. However, in all other ways, the companies must prioritize the need to apply zero-trust principles in order to minimize the attack surface area of — not just machines, software, and services but also operations, according to MacVittie.  

 CircleCI Breach: Encryption Keys & User Data Seized

A software company CircleCi has acknowledged that a data breach that occurred last month resulted in the theft of customers' personal information. 

After an engineer contracted data-stealing malware that made use of CircleCi's 2FA-backed SSO session cookies to get access to the company's internal systems, hackers broke into the company in December. CircleCi reminded consumers to change their credentials and passwords earlier this month after disclosing a security breach.

The company accepted responsibility for the breach and criticized a system failure, noting that its antivirus program missed the token-stealing malware on the employee's laptop. Using session tokens, users can maintain their login status without constantly typing their password or re-authorizing using two-factor authentication. However, without the account holder's password or two-factor code, an attacker can access the same resources as them by using a stolen session token. As a result, it may be challenging to distinguish between a session token belonging to the account owner and one stolen by a hacker.

According to CircleCi, the theft of the session token enabled the hackers to assume the identity of the employee and obtain access to a few of the business systems, which store client data. CircleCi states they rotated all customer-related tokens, including Project API Tokens, Personal API Tokens, and GitHub OAuth tokens, in retaliation to the hack. Additionally, the business collaborated with Atlassian and AWS to alert clients of potentially hacked AWS and Bitbucket tokens.

CircleCi claims that in order to further fortify its infrastructure, they have increased the number of detections for the actions taken by the information-stealing malware in its antivirus and mobile device management (MDM) programs.

"While client data was encrypted, the cybercriminals also gained the encryption keys able to decrypt consumer data," claimed Rob Zuber, the company's chief technology officer. To avoid illegal access to third-party systems and stores, researchers urge customers who have not already taken steps to do so. The company additionally tightened the security of its 2FA solution and further limited access to its production settings to a smaller group of users.

Following a Hack, CircleCI Advises Customers to Rotate all Secrets

 


Following a breach of the company's systems, CircleCI, whose development products are popular with software engineers, has advised customers to rotate their secrets. This is to prevent a repetition of this incident. 

There are more than one million engineers who use the CI/CD platform as they expect to achieve the "speed and reliability" of their builds by relying on the service. An alert is sent to users about the incident by CircleCI. Currently, CircleCI is investigating a security incident, as indicated by emails that users have received from CircleCI regarding this incident. 
 
To be on the safe side, users are advised to rotate all secrets stored in CircleCI until the company concludes its investigation. The CircleCI CTO, Rob Zuber, wrote in a succinct advisory published on Wednesday that they will provide you with updates as soon as they become available about this incident. 

It was found that CircleCI believes that there are no unauthorized actors active in their system at this point; however, in the spirit of being extra cautious, they would encourage all customers to take the necessary precautions to ensure that their data is protected. It is recommended that customers should rotate both the secrets that are stored in project environment variables and within context variables.
 
CircleCI has invalidated API tokens used in projects, and users will be required to replace these tokens before they can start using CircleCI. During the investigation, Daniel Hückmann, who is an experienced security engineer, reported the presence of one of the IP addresses associated with the attack (54.145.167.181). 

As a result of this information, incident responders may be able to increase their ability to investigate their environment in the future. Besides, the DevOps company recommends that users audit their logs for any signs of unauthorized access occurring between December 21st, 2022, and January 4th, 2023. The purpose of this is to prevent the same event from happening again. 
 
The wording of CircleCI's 'reliability update' seems to suggest that CircleCI was compromised on December 21st - the same day it published the "reliability update" underlining its commitment to improving its services and reaffirming its commitment to enhancing security. 
 
A series of similar updates, beginning with a reliability update released in April of 2022, preceded its said reliability update, with CircleCI admitting that its reliability was not up to the standards of its users. Zuber wrote in a report that CircleCI is an organization dedicated to managing change to enable software teams to innovate faster. But lately, they have learned that our reliability has not met our customers' expectations. 
 
Following another unavailability in September 2022 as a result of a "significant portion of a day," CircleCI issued another such update to address the issue. This was causing many teams to struggle with managing their workload as a result of the problem. 

In recent years, CircleCI has faced a series of security issues that threaten its operations. A data breach occurred in mid-2019 at CircleCI due to the compromise of a third-party vendor which resulted in the loss of confidential information. 

In response, the data of some GitHub and Bitbucket users which includes their login credentials and email addresses including their GitHub and Bitbucket accounts were compromised. Further, it gives access to their IP addresses, company names, repositories' URLs, etc. 

An investigation was conducted in 2022 in which threat actors were caught using fake CircleCI email notifications to steal GitHub accounts from users, as a result of these phishing attempts, CircleCI was reassured at the time of their being secure since the fraudulent attempts did not necessarily come from latest compromise. Despite this, threat actors have been known to target customers of affected companies with phishing scams by using email addresses obtained from an earlier breach (such as the one found in 2019). 
 
In regards to the security incident that CircleCI announced on Wednesday, the company sincerely apologizes to all those who may have faced inconvenience following this announcement. When the investigation is concluded, the company intends to share additional information about the incident in the upcoming days.