Post-CircleCI Breach, Focus on Identity Security Strategy

February 7, 2023 Andrey Pozhogin

Post-CircleCI Breach, Focus on Identity Security Strategy

When news of the recent CircleCI breach broke, developers everywhere scrambled to rotate tokens and remove hardcoded secrets stored in the popular CI/CD platform to minimize their exposure. Now that the dust has settled and more details are available, we’re reexamining the CircleCI attack chain to highlight the importance of a holistic Identity Security strategy in thwarting future damaging attacks.

Analyzing the CircleCI Identity Attack Chain

1. Infect an Employee’s Endpoint Device

The laptop of a CircleCI engineer – an employee with privileged access rights – was infected with malware, which was not detected by the company’s antivirus software.

Learning: Mitigating the risk of social engineering and phishing attacks while closing other endpoint security gaps requires a strong mix of integrated tools and processes – there isn’t one tool that can do it all. Endpoint privilege management is one foundational control that every organization needs to consider carefully. Removing local admin rights, replacing them with controlled just-in-time elevation and enforcing least privilege can help ensure that an honest mistake does not lead to downloading and installing malware in the first place.

2. Steal Employee Session Tokens

An unauthorized third party used the malware to steal the employee’s single sign-on session tokens. By keeping the employee’s web sessions open and active, the attacker successfully bypassed multifactor authentication (MFA) safeguards in place.

Learning: Stealing session tokens, cookies and other types of post-MFA tokens is an increasingly popular technique because it enables attackers to bypass authentication and authorization prompts. Once a legitimate user has authenticated using MFA, that token or cookie is created on the endpoint as a piece of trust and an attacker can use it for later access. This technique is also relatively easy to pull off. While many attacks (including this CircleCI incident) require elevated privileges to install malicious software on an endpoint, token and cookie hijacking can be accomplished without them.

As more companies embrace adaptive MFA controls to maintain balance between security and simpler and smoother user experience, token and cookie hijacking will continue to gain traction as these techniques provide a way of bypassing MFA measures. To mitigate risk, MFA systems should be strengthened with endpoint privilege security controls that detect and block credential theft – including post-MFA token theft – at the start of an attack before they’re used to access critical business and cloud services. An all-encompassing approach will also give security teams a flexible, yet consistent way to implement privilege and application control. Incorporating capabilities to monitor and audit end-user activity in designated web applications can also help secure user sessions from threats originating on the endpoint and curb prohibited data exfiltration by workforce users, such as downloading or copying sensitive files.

3. Establish Persistence and Move Laterally

By using the stolen tokens, the attackers were able to impersonate the CircleCI engineer to move laterally and vertically through the network and establish persistence. Eventually, the attacker was able to gain access to a subset of the company’s production systems.

Learning: According to CircleCI’s investigation, the attacker spent a few days conducting reconnaissance before stealing data. When organizations have continuous threat detection capabilities in place, dwell times like this represent a big opportunity to detect and block attacks from causing damage. And by applying AI-based user behavior analytics, one careless move (such as accessing the network from an unusual location or time of day while doing recon) could be all it takes to unmask the attacker impersonating a legitimate privileged user.

4. Gather and Exfiltrate Data

According to CircleCI, “Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys.” Customers were urged to rotate “any and all secrets” stored in CircleCI, review their own system logs and watch out for suspicious activity in integrated SaaS applications and public cloud environments.

Learning: For most organizations, manually rotating every secret isn’t simple exercise. For one thing, there are TONS of secrets out there. More precisely, there are 45 non-human identities for every one human identity, and 68% of them use secrets and other credentials to access sensitive corporate resources. Second, these secrets are often hardcoded to save time and effort and can be found in source code in private or even public repositories (e.g., on GitHub), scripts, configuration files and CI/CD pipeline code. But after a cyber incident, for example in a supply chain, when there’s an urgent need to rotate these secrets, developers often end up losing more time manually hunting them down to rotate. Meanwhile, attackers actively target hardcoded secrets to gain high-level access and escalate privileges, as seen in last year’s Uber breach.

The CircleCI breach is just one of many recent reminders that intelligent privilege controls must cover every single identity – not just those linked to people. Non-human and machine identities – and the secrets and other credentials they use must be managed in a similar fashion. A centralized secrets management system makes it possible to authenticate, authorize and audit non-human access, while automatically rotating credentials, when needed, and removing static secrets from all scripts and source code.

A Massive Circle of Impact

The CircleCI breach not only impacted one of the world’s most widely used CI/CD platforms, it also put millions of organizations at risk. By tricking just one employee, the attacker was able to work their way through CircleCI’s corporate IT infrastructure, steal sensitive company data and use hardcoded and unprotected secrets to potentially reach further into customer environments. As a result, CircleCI customers had to pause important work and spend valuable development and DevOps resources updating their own code to mitigate risk and potential exposure.

Protecting your enterprise from future identity-based attacks requires a unified Identity Security strategy that removes silos, enhances visibility and automates time-intensive tasks. Empowered, security teams can enable secure access to all resources – on endpoints, in DevOps pipelines, across cloud environments and everywhere else – to measurably reduce risk and stay one step ahead of threats.

Previous Article
Udi Mokady to Step into Executive Chair Role and Matt Cohen to Become CEO
Udi Mokady to Step into Executive Chair Role and Matt Cohen to Become CEO

Today, CyberArk announced that our founder and CEO Udi Mokady will step into the role of Executive Chairman...

Next Article
The Linux Kernel and the Cursed Driver
The Linux Kernel and the Cursed Driver

Introduction NTFS is a filesystem developed by Microsoft that was introduced in 1993. Since then, it has be...