Continuous integration and delivery service providers CircleCi is suspecting foul play in its systems and is urging its users to take action and protect their accounts while it investigates the matter further.
In a post (opens in new tab) on its company blog, CircleCi asked its customers to immediately rotate any and all secrets stored in its systems. “These may be stored in project environment variables or in contexts”.
Furthermore, CircleCi recommends its customers review internal logs for their systems, and look for any unauthorized access starting from December 21, 2022 through January 4, 2023, or until the moment all secrets had been rotated. Finally, CircleCI said it invalidated all Project API tokens, forcing users to replace them. Further information on how that can be done can be found on this link (opens in new tab).
An apology and no explanation
“We apologize for any disruption to your work,” the post notes. “We take the security of our systems and our customers’ systems extremely seriously. While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days.”
The company did not disclose any additional details about the security incident it’s currently investigating, so we don’t know if any malware or viruses were deployed on its endpoints (opens in new tab).
“At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well,” the post reads.
While details are scarce, BleepingComputer found a report by security engineer Daniel Hückmann, who said he spotted one of the IP addresses associated with the attack (54.145.167.181). According to the publication, this is the type of information that can help incident response teams during their investigations.
“Search cloudtrail logs for events from this IP,” he said. “I expect there are other indicators, but this one is high fidelity.”