Threat Research

CircleCI incident report for January 4, 2023 security incident

Securonix

CircleCI disclosed a security incident involving unauthorized access via a compromised engineer’s laptop, enabling theft of session cookies and keys across production environments. The company rotated secrets, expanded security measures, and shared new tooling to help customers secure their systems. #PTX-Player #PTX.app #potrax.com #CircleCI #GitHubOAuth #Bitbucket #AWS #Datacamp #MullvadVPN

Keypoints

  • Incident timeline begins with suspicious GitHub OAuth activity reported on December 29, 2022 and a compromised GitHub OAuth token on December 30, 2022.
  • CircleCI proactively rotated GitHub OAuth tokens for customers on December 31, 2022 and expanded the scope as investigations progressed.
  • An unauthorized third party leveraged malware on a CircleCI engineer’s laptop (compromised December 16, 2022) to steal a valid 2FA-backed SSO session and access production systems.
  • Exfiltration occurred starting December 22, 2022, with data including environment variables, tokens, and keys; encryption at rest did not fully prevent access because keys were extracted from a running process.
  • CircleCI implemented actions to contain the breach (token rotations, restricted production access, rotating hosts) and began broader security enhancements.
  • Communication with customers was ongoing, including emails, blog posts, and new tools to help with secret rotation and auditing.
  • Indicators of compromise include specific IPs, domains, malicious files, and commands to review (e.g., repo.download_zip) to aid investigations.

MITRE Techniques

  • [T1539] Steal Web Session Cookie – The malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems. [“the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.”]
  • [T1078] Valid Accounts – The attacker used a stolen, 2FA-backed SSO session to impersonate the employee and access production environments. [“steal a valid, 2FA-backed SSO session”]
  • [T1041] Exfiltration – Data including environment variables, tokens, and keys were exfiltrated, even though data at rest was encrypted. [“exfiltration occurred, and that is our last record of unauthorized activity in our production systems. Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process.”]
  • [T1562.001] Impair Defenses – The malware was not detected by our antivirus software, illustrating defense evasion during the intrusion. [“The malware was not detected by our antivirus software.”]

Indicators of Compromise

  • [IP Address] Observed as used by threat actor – 178.249.214.10, 89.36.78.75, 89.36.78.109, 89.36.78.135, 178.249.214.25, 72.18.132.58, 188.68.229.52, 111.90.149.55
  • [Organization/Service] Data centers and VPN providers used by threat actor – Datacamp Limited, Globalaxs Quebec Noc, Handy Networks, LLC, Mullvad VPN
  • [File] Malicious files to search for and remove – PTX-Player.dmg (SHA256: 8913e38592228adc067d82f66c150d87004ec946e579d4a00c53b61444ff35bf), PTX.app, and 2 more hashes
  • [Domain] Block the following domain – potrax[.]com
  • [Event/Command] Review GitHub audit log files for unexpected commands – repo.download_zip
  • [Credential] Exposed secrets – environment variables, tokens

Read more: https://circleci.com/blog/jan-4-2023-incident-report/