Following a possible breach, CircleCI published yesterday a security alert urging their customers to rotate all CircleCI secrets, specifically API keys and tokens, to prevent supply chain attacks. In such attacks, attackers may use stolen API keys to penetrate CircleCI customers’ core systems to exfiltrate sensitive code and business data, insert malware or create business disruption.
Until more information is provided by CircleCI we recommend disconnecting CircleCI from valuable assets and rotating all tokens and secrets provided to CircleCI. It is most probable that more information will be shared from CircleCI to you directly, and via CircleCI’s Twitter or blog.
CircleCI is a popular CI/CD productivity tool connected to probably thousands of organizations’ core systems such as GitHub, Gitlab, Azure, AWS, GCP, Kubernetes, Slack, HashiCorp, and many more.
As part of build and deployment processes, DevOps and R&D teams create multiple connections by providing CircleCI powerful tokens to access their organization’s core systems. These tokens are stored in the CircleCI environment, which is now suspected to be compromised by threat actors.
To understand if your organization is at risk, it’s important you quickly understand whether CircleCI service is used within your organization and what core systems are connected to it so that you can rotate all the secrets used by the connections across all types of connections – Apps, API and SSH keys and webhooks.
However, detecting all the connections might be a tedious and time-consuming task since these connections are usually created without any governance of the security team or proper vetting process and documentation.
For your convenience, we have listed below common connections to CircleCI from organizations’ core systems (based on our continuous observations), and the recommended remediation steps required.
Please note, due to the functionality of CircleCI, removing the access, or even just regenerating tokens without providing them again to CircleCI would impact your CICD pipeline. Therefore, we highly recommend working with the relevant platform owners and assessing your risk according to business needs.
GitHub
- API keys & SSH keys – these tokens are issued and provided to CIrcleCI to sustain automatic processes. We suggest contacting the owner of the token and asking them to rotate it carefully.
- GitHub apps – Upon installation GitHub’s clients are granted a secret allowing it to request a temporary access token. As a precaution, we recommend uninstalling the app in order to prevent access.
- OAuth apps – This is a legacy connection type to GitHub, which is not recommended anymore and we suggest moving to GitHub apps in general. Verify if you have an OAuth app of CircleCI and remove it.
- Unsigned Webhooks – Webhooks in GitHub send events from your GitHub to a third-party server. Being unsigned means the malicious actor can take advantage of the webhook URL address to trigger manipulation that could affect your environment. We recommend verifying that all webhooks are signed.
Slack
- CircleCI Marketplace Slack apps send notifications to dedicated channels through unsigned webhooks. We suggest disabling the app or webhooks or uninstalling the app. You can regenerate the webhook URL and provide it to CircleCI.
- In addition, we recommend that no internal app with the relevant name be created as part of a home-grown process or integration.
Snowflake
Access to Snowflake is done using a “user” account and providing its credential to CircleCI, making it a “service account”. We recommend suspending its access by removing its roles or disabling the account.
CircleCI Project APIs
API tokens generated within CircleCI to provide access to your CircleCI account. CircleCI invalidated these tokens, so no further action is required from a security point of view. However, notice that this might cause unexpected operational side effects.
How Astrix can help
Our security platform can help you minimize your attack surface quickly, by detecting connections of your core systems to the CircleCI service as critical connection risks and providing you with recommended remediation steps and our security expert knowledge.
Contact us to learn more and get our security expert assistance.
