Researchers warned that the recent CircleCI security breach affects not only organizations using the CircleCI development platform, but also other third-party applications, including Github, AWS, GCP, and Azure, that are integrated with the platform.
Following the CircleCI security breach on Jan.4, when the company urged its users to rotate all secrets stored in the platform, researchers at Mitiga published a technical blog today highlighting the potential impact of the incident on other SaaS and Cloud providers that interact with CircleCI platform, and offering further guidance on how organizations can detect malicious activities comprehensively across third-party applications.
“While using the Circle platform, you integrate the platform with other SaaS and Cloud providers your company uses. For each integration, you need to provide the CircleCI platform with authentication tokens and secrets,” the blog post explained. “When a security incident involves your CircleCI platform, not only is your CircleCI platform in danger, [so are] all other SaaS platforms and cloud providers integrated with CircleCI...since their secrets are stored within the CircleCI platform and can be used by a threat actor to expand their foothold.”
Besides following CircleCI’s original recommendation to rotate all secrets stored in CircleCI, Mitiga said users should also hunt for malicious behavior done on all their other SaaS and cloud platforms.
For example, as CircleCI authenticates to GitHub using PAT, an SSH key, or locally generated private and public keys, users should hunt for suspicious GitHub activity originating from CircleCI users. In some cases, the key used by CircleCI is for the DevOps personal user, which may make the hunting process much harder.
Specifically, users can look for suspicious actions, such as git.clone, git.fetch, git.pull, and GitHub Audit logs that contain an “actor_location.”
“It is possible to authenticate to github.com using the CircleCI user and manually view the Security log available in the user settings. In this log, the source IP is enabled by default, and it is possible to hunt for abnormal connections and operations originating from new IPs,” the blog post added.
Detailed technical guides for hunting suspicious activities on AWS, GCP, and Azure are also available on the blog post along with the guide of GitHub.
Following the security incident on Jan.4, CircleCI has continued updating its incident response progress. According to its latest advisory, the company claims to have mitigated the risk that led to the incident and completed the process of rotating GitHub OAuth tokens on behalf of customers.
The CircleCI team did not directly respond to SC Media’s inquiry on the risk of the security incident on third-party applications but said they are committed to publicly releasing an incident report on Jan.17.
SC Media has reached out to GitHub, AWS, Google and Microsoft for comment on the findings.
An AWS spokesperson declined to respond to questions, instead pointing SC Media to a section of their website detailing the company’s “shared responsibility model” for cloud security, which explains how AWS is responsible for securing the cloud infrastructure under their control while the customer is responsible for configuration and integration issues.
For a the full Mitiga technical report, click here.