Tag Archive for: Engineers

Malware Attack on CircleCI Engineer’s Laptop Leads to Recent Security Incident

/in


Jan 14, 2023Ravie LakshmananDevOps / Data Security

CircleCI Hack

DevOps platform CircleCI on Friday disclosed that unidentified threat actors compromised an employee’s laptop and leveraged malware to steal their two-factor authentication-backed credentials to breach the company’s systems and data last month.

The CI/CD service CircleCI said the “sophisticated attack” took place on December 16, 2022, and that the malware went undetected by its antivirus software.

“The malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems,” Rob Zuber, CircleCI’s chief technology officer, said in an incident report.

Further analysis of the security lapse revealed that the unauthorized third-party pilfered data from a subset of its databases by abusing the elevated permissions granted to the targeted employee. This included customer environment variables, tokens, and keys.

The threat actor is believed to have engaged in reconnaissance activity on December 19, 2022, following it up by carrying out the data exfiltration step on December 22, 2022.

“Though all the data exfiltrated was encrypted at rest, the third-party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” Zuber said.

The development comes a little over a week after CircleCI urged its customers to rotate all their secrets, which it said was necessitated after it was alerted to “suspicious GitHub OAuth activity” by one of its customers on December 29, 2022.

Upon learning that the customer’s OAuth token had been compromised, it proactively took the step of rotating all GitHub OAuth tokens, the company stated, adding it worked with Atlassian to rotate all Bitbucket tokens, revoked Project API Tokens and Personal API Tokens, and notified customers of potentially affected AWS tokens.

Besides limiting access to production environments, CircleCI said it has incorporated more authentication guardrails to prevent illegitimate access even if the credentials are stolen.

It further plans to initiate periodic automatic OAuth token rotation for all customers to deter such…

Source…

CircleCI probe links malware placed on engineer’s laptop to larger breach

/in


CircleCI said an unauthorized third-party leveraged malware on the laptop of one of its engineers to steal a valid 2FA-backed single-sign-on session, according to highly anticipated report stemming from a security incident disclosed earlier this month. 

The engineer’s laptop was compromised on Dec. 16, but the company’s antivirus software failed to detect the malware, the company said. 

“Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate across to a subset of our production systems,” CircleCI CTO Rob Zuber explained in the updated blog post.

Less than five customers have said they experienced unauthorized access to third-party systems, the company said.

The engineer had privileges to generate production access tokens, so the third-party was able to exfiltrate data from a subset of databases and stores, including customer environment variables, tokens and keys, according to the blog post. 

CircleCI strongly defended the employee in the report, emphasizing the incident was not due to the actions of any one person, but a collective failure of various systems. 

“While one employee’s laptop was exploited through this sophisticated attack, a security incident is a systems failure,” Zuber said in the blog post. “Our responsibility as an organization is to build layers of safeguards that protect against all attack vectors.”

The threat actor did reconnaissance activity on Dec. 19 and the exfiltration took place on Dec. 22. 

Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” Zuber said.

By Dec. 29, the company was alerted to suspicious GitHub OAuth activity and realized on Dec. 30 a Github OAuth token belonging to one of its customers was compromised by an unauthorized party. 

The customer resolved the issue, but on Dec. 31 CircleCI decided to rotate all GitHub OAuth tokens on behalf of customers. 

CircleCI said it considers the platform safe for customers to…

Source…

Engineers build a lower-energy chip that can prevent hackers from extracting hidden information from a smart device

/in


chip
Credit: CC0 Public Domain

A heart attack patient, recently discharged from the hospital, is using a smartwatch to help monitor his electrocardiogram signals. The smartwatch may seem secure, but the neural network processing that health information is using private data that could still be stolen by a malicious agent through a side-channel attack.

A side-channel attack seeks to gather secret information by indirectly exploiting a system or its hardware. In one type of side-channel attack, a savvy hacker could monitor fluctuations in the device’s power consumption while the neural network is operating to extract protected information that “leaks” out of the device.

“In the movies, when people want to open locked safes, they listen to the clicks of the lock as they turn it. That reveals that probably turning the lock in this direction will help them proceed further. That is what a side-channel attack is. It is just exploiting unintended information and using it to predict what is going on inside the device,” says Saurav Maji, a graduate student in MIT’s Department of Electrical Engineering and Computer Science (EECS) and lead author of a paper that tackles this issue.

Current methods that can prevent some side-channel attacks are notoriously power-intensive, so they often aren’t feasible for internet-of-things (IoT) devices like smartwatches, which rely on lower-power computation.

Now, Maji and his collaborators have built an integrated circuit chip that can defend against power side-channel attacks while using much less energy than a common security technique. The chip, smaller than a thumbnail, could be incorporated into a smartwatch, smartphone, or tablet to perform secure machine learning computations on sensor values.

“The goal of this project is to build an integrated circuit that does machine learning on the edge, so that it is still low-power but can protect against these side channel attacks so we don’t lose the privacy of these models,” says Anantha Chandrakasan, the dean of the MIT School…

Source…

Team of Panther engineers creates break-through technology to detect illegal Bitcoin mining on everyday users’ computers | FIU News

/in


Cryptocurrencies may be the way of the future. At least, that’s what many are betting on.

Entrepreneurs and companies are buying, selling and investing funds in cryptocurrencies like Bitcoin. Some retailers are accepting payments in cryptocurrency already. And, most recently, Miami Mayor Francis Suarez proposed that the city begin using Bitcoin for some of its financial transactions, including for employee salaries.

The popularity of cryptocurrencies is attracting a number of people – including hackers. Hackers are currently finding low-cost ways to “mine” Bitcoin and other cryptocurrency illegally by tapping into everyday people’s computers and using those machines’ resources without their consent. The result? Hackers make millions mining cryptocurrency using other people’s computers. Meanwhile, the victims often find their computers slow down and become impossible to use without realizing what’s going on.

This form of hacking – called “cryptojacking” – is happening across the world at astonishing rates. Miners have not only hacked into regular folks’ computers, but they’ve also hacked into major businesses, retailers and governmental agencies to use their servers and machines.

Faraz Naseem ’18, MS ’20 is working to find a solution. Naseem works at FIU’s Cyber-Physical Systems Security Lab, part of the College of Engineering and Computing. Under the supervision of the lab’s director Selcuk Uluagac, Naseem, postdoctoral researcher Ahmet Aris, researcher and lab member Leonardo Babun ’15, MS ’19, PhD ’20 and current electrical and computer engineering master’s student Ege Tekiner, created a novel software to address the problem.

The team created a first-of-its-kind software that detects cryptojacking happening in real-time with an accuracy rate of nearly 99 percent.

“We are one of the first in the world to identify cryptojacking,” says Uluagac, who is also an eminent scholar-chaired associate professor in the Department of Electrical and Computer Engineering and Knight Foundation School of Computing and Information Sciences. “As Bitcoin technology becomes more prevalent, we will need these types of protections. Miami is already in the…

Source…