Request a Consultation
We use cookies to enhance your experience of our website, save your preferences and provide us with information on how you use our website. For more information please read our Privacy Policy. By using our website without changing your browser settings you consent to our use of cookies.
Jan. 20, 2023 CircleCI Data Breach Highlights Need for a Proactive Approach to Security
5 minutes read
CircleCI Data Breach Highlights Need for a Proactive Approach to Security

The DevOps platform, CircleCI, confirmed a breach on December 29, 2022. On discovery, they alerted users that their GitHub OAuth tokens could be compromised and started proactively rotating OAuth tokens on December 31, 2022.

In a blog post on January 13, 2023, the company confirmed that some customer data sourced from a CircleCI engineer’s laptop was stolen; the potential point of entry was a malicious app called PTX-Player.dmg. This PTX-Player is a malicious app that claims it can open raw images. MacOS’s Gatekeeper, Notarization, XProtect, or even CircleCI’s antivirus software did not detect this infringement. The malware would have installed remote screen share tools such as Splashtop and Screenconnect and created a Command & Control (C2) to a domain owned by potrax[.]com.

Adversaries stole session tokens to internally hosted applications, including production servers, and allowed them to exfiltrate CircleCI customers’ OAuth tokens and expose client intellectual property.

Reactive and Proactive Responses to Harden Against Similar Attacks

The CircleCI security breach is an example of a lack of layered defenses. In the blog post, while acknowledging the attack, CircleCI suggested the following enhancements:

“We have taken many steps since becoming aware of this attack, both to close the attack vector and add additional layers of security, including the following:

  • Added detection and blocking through our MDM and A/V solutions for the specific behaviors exhibited by the malware in this attack.
  • Restricted access to production environments to a very limited number of employees as we implement additional security measures. We’re confident in our platform’s security, and we have no indication that any other employee’s device has been compromised.
  • For the employees who retain production access, we have added additional step-up authentication steps and controls. This will help us prevent possible unauthorized production access, even in the case of a stolen 2FA-backed SSO session.
  • Implemented monitoring and alerting for the specific behavior patterns we identified in this scenario, across multiple triggers and via a variety of third-party vendors.

We know that security work is never done. In addition to closing this particular vector, we have also performed enhanced and ongoing reviews to ensure a stronger defense against potential attacks.”

The suggested enhancements are reactive. CircleCI needs to consider proactive controls instead. In addition to the mentioned list, organizations should consider the following controls to protect themselves from similar attacks:

  • Third-party Risk Assessments: Conduct regular risk assessments to determine the effectiveness of security policies and tools. The risk assessment should cover both the process and the technical side and include all security products, such as antivirus tools and MDM solutions. Run penetration tests to understand the tool's limitations, impact on the business, and quantization of business risk.
  • Maintain an inventory of corporate-owned devices: CircleCI claimed an adversary could capture the session token and remotely exfiltrate the data. Therefore, CircleCI must enforce access only via corporate-owned devices. This restriction would impede external access.
  • Enable managed-admin or supervised-admin roles: Individuals handling intellectual property must have managed or restricted admin roles. For example, they would be prohibited from downloading apps directly from browsers or untrusted sources. Additionally, leverage a notarization service that scans software for malicious content and checks for code-signing issues before installation.
  • Corporate containers on Bring Your Own Device (BYOD): MDM solutions allow corporate containers on devices running macOS, iOS, Android, and specific versions of Windows. For contingent and temporary staff, this control should be enforced. Ensure this control works on a zero-trust model so that data from the personal container is not copied to the corporate container and vice versa.

Conclusion

Data breach for any company is unnerving. CircleCI did an admirable job at being transparent, but security should always be a proactive process. One must take a proactive approach and validate security controls and tools. Lastly, security should be open to innovation. Heightened security controls should not block innovation. Currently there are many known tools and techniques that not only enhance security but also allows the organization to be nimble and innovative.

About the Author 

Swapnil Deshmukh is CTO & co-founder of Certus Cybersecurity. A product security thought leader and subject matter expert, Swapnil is responsible for leading the company's global team of security engineers.

Contact Us
Ready to get started? Book a free consultation today, and we’ll write you back within 24 hours. For further inquiries, please submit the form at right. By submitting completed “Book a Free Consultation” form, your personal data will be processed by Certus Cybersecurity. Please read our Privacy Notice for more information.