The DevOps platform, CircleCI, confirmed a breach on December 29, 2022. On discovery, they alerted users that their GitHub OAuth tokens could be compromised and started proactively rotating OAuth tokens on December 31, 2022.
In a blog post on January 13, 2023, the company confirmed that some customer data sourced from a CircleCI engineer’s laptop was stolen; the potential point of entry was a malicious app called PTX-Player.dmg. This PTX-Player is a malicious app that claims it can open raw images. MacOS’s Gatekeeper, Notarization, XProtect, or even CircleCI’s antivirus software did not detect this infringement. The malware would have installed remote screen share tools such as Splashtop and Screenconnect and created a Command & Control (C2) to a domain owned by potrax[.]com.
Adversaries stole session tokens to internally hosted applications, including production servers, and allowed them to exfiltrate CircleCI customers’ OAuth tokens and expose client intellectual property.
Reactive and Proactive Responses to Harden Against Similar Attacks
The CircleCI security breach is an example of a lack of layered defenses. In the blog post, while acknowledging the attack, CircleCI suggested the following enhancements:
“We have taken many steps since becoming aware of this attack, both to close the attack vector and add additional layers of security, including the following:
We know that security work is never done. In addition to closing this particular vector, we have also performed enhanced and ongoing reviews to ensure a stronger defense against potential attacks.”
The suggested enhancements are reactive. CircleCI needs to consider proactive controls instead. In addition to the mentioned list, organizations should consider the following controls to protect themselves from similar attacks:
- Third-party Risk Assessments: Conduct regular risk assessments to determine the effectiveness of security policies and tools. The risk assessment should cover both the process and the technical side and include all security products, such as antivirus tools and MDM solutions. Run penetration tests to understand the tool's limitations, impact on the business, and quantization of business risk.
- Maintain an inventory of corporate-owned devices: CircleCI claimed an adversary could capture the session token and remotely exfiltrate the data. Therefore, CircleCI must enforce access only via corporate-owned devices. This restriction would impede external access.
- Enable managed-admin or supervised-admin roles: Individuals handling intellectual property must have managed or restricted admin roles. For example, they would be prohibited from downloading apps directly from browsers or untrusted sources. Additionally, leverage a notarization service that scans software for malicious content and checks for code-signing issues before installation.
- Corporate containers on Bring Your Own Device (BYOD): MDM solutions allow corporate containers on devices running macOS, iOS, Android, and specific versions of Windows. For contingent and temporary staff, this control should be enforced. Ensure this control works on a zero-trust model so that data from the personal container is not copied to the corporate container and vice versa.
Conclusion
Data breach for any company is unnerving. CircleCI did an admirable job at being transparent, but security should always be a proactive process. One must take a proactive approach and validate security controls and tools. Lastly, security should be open to innovation. Heightened security controls should not block innovation. Currently there are many known tools and techniques that not only enhance security but also allows the organization to be nimble and innovative.
About the Author
Swapnil Deshmukh is CTO & co-founder of Certus Cybersecurity. A product security thought leader and subject matter expert, Swapnil is responsible for leading the company's global team of security engineers.