CircleCI said an unauthorized third-party leveraged malware on the laptop of one of its engineers to steal a valid 2FA-backed single-sign-on session, according to highly anticipated report stemming from a security incident disclosed earlier this month.
The engineer’s laptop was compromised on Dec. 16, but the company’s antivirus software failed to detect the malware, the company said.
“Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate across to a subset of our production systems,” CircleCI CTO Rob Zuber explained in the updated blog post.
Less than five customers have said they experienced unauthorized access to third-party systems, the company said.
The engineer had privileges to generate production access tokens, so the third-party was able to exfiltrate data from a subset of databases and stores, including customer environment variables, tokens and keys, according to the blog post.
CircleCI strongly defended the employee in the report, emphasizing the incident was not due to the actions of any one person, but a collective failure of various systems.
“While one employee’s laptop was exploited through this sophisticated attack, a security incident is a systems failure,” Zuber said in the blog post. “Our responsibility as an organization is to build layers of safeguards that protect against all attack vectors.”
The threat actor did reconnaissance activity on Dec. 19 and the exfiltration took place on Dec. 22.
"Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data," Zuber said.
By Dec. 29, the company was alerted to suspicious GitHub OAuth activity and realized on Dec. 30 a Github OAuth token belonging to one of its customers was compromised by an unauthorized party.
The customer resolved the issue, but on Dec. 31 CircleCI decided to rotate all GitHub OAuth tokens on behalf of customers.
CircleCI said it considers the platform safe for customers to continue working, but it took several steps to boost security.
The company restricted access to its production environment to a limited number of employees and added authentication requirements. CircleCI also added MDM and antivirus solutions aimed at specific behavior used by the outside actor.
Customers should check for any suspicious behavior starting from Dec.16.