2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--f2049d65-5315-4c37-9bbb-900c9b851204" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:20:21.000Z" ,
"modified" : "2023-01-19T08:20:21.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--f2049d65-5315-4c37-9bbb-900c9b851204" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:20:21.000Z" ,
"modified" : "2023-01-19T08:20:21.000Z" ,
"name" : "OSINT - CircleCI incident report for January 4, 2023 security incident" ,
"published" : "2023-01-19T08:21:21Z" ,
"object_refs" : [
"indicator--5eab642e-d3a5-4170-9aff-770721ce1f01" ,
"indicator--b0894935-86e3-49fe-99ee-767f8c551d84" ,
"indicator--9c1bc6dc-e391-46f5-bf31-dc501e06ddfb" ,
"indicator--9ad02845-5cfb-4494-89b4-1c3795e3d5bb" ,
"indicator--fc6531ee-17f5-4f4e-94d8-25b1b355b14f" ,
"indicator--4f008530-bf04-458c-98fc-5b45a6ae66db" ,
"indicator--268efcdc-a235-4ef2-a421-b66d0b9b0e7f" ,
"indicator--41b9f351-1bb3-4d8f-af7c-c018c050702b" ,
"indicator--4d7b64e3-6e7c-4275-b082-8b80534015c9" ,
"indicator--af9d8894-d05a-46d1-bfe6-8b478b30371a" ,
"indicator--89f779a8-ac43-46cf-bf35-adae33af9936" ,
"indicator--486b2d2f-12bd-4741-ae46-5838f798a10a" ,
"indicator--31150471-744f-47e5-9da9-9eceaac53ca4" ,
"indicator--5b6801c1-e72e-4841-b908-fefce6cdf8cf" ,
"indicator--413ee0ee-1509-4d44-bddd-9bde85e92562" ,
2023-05-19 09:05:37 +00:00
"x-misp-object--852a38c1-d1b2-43c3-8781-23b8de71e1a1" ,
"note--b2ec2f37-9bd6-4b0c-9c78-b6fef5b99260"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"tlp:clear"
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5eab642e-d3a5-4170-9aff-770721ce1f01" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:14:59.000Z" ,
"modified" : "2023-01-19T08:14:59.000Z" ,
"description" : "Malicious files to search for and remove:" ,
"pattern" : "[file:hashes.SHA256 = '8913e38592228adc067d82f66c150d87004ec946e579d4a00c53b61444ff35bf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:14:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b0894935-86e3-49fe-99ee-767f8c551d84" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:14:47.000Z" ,
"modified" : "2023-01-19T08:14:47.000Z" ,
"description" : "Malicious files to search for and remove:" ,
"pattern" : "[file:name = '/private/tmp/.svx856.log']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:14:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9c1bc6dc-e391-46f5-bf31-dc501e06ddfb" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:16:06.000Z" ,
"modified" : "2023-01-19T08:16:06.000Z" ,
"description" : "Malicious files to search for and remove:" ,
"pattern" : "[file:name = '/private/tmp/.ptslog']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:16:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9ad02845-5cfb-4494-89b4-1c3795e3d5bb" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:16:33.000Z" ,
"modified" : "2023-01-19T08:16:33.000Z" ,
"description" : "Review GitHub audit log files for unexpected commands such as:" ,
"pattern" : "[windows-registry-key:key = 'repo.download_zip']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:16:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--fc6531ee-17f5-4f4e-94d8-25b1b355b14f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:11:57.000Z" ,
"modified" : "2023-01-19T08:11:57.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.249.214.10']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:11:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--4f008530-bf04-458c-98fc-5b45a6ae66db" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:16:13.000Z" ,
"modified" : "2023-01-19T08:16:13.000Z" ,
"description" : "Malicious files to search for and remove:" ,
"pattern" : "[file:name = 'PTX-Player.dmg']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:16:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--268efcdc-a235-4ef2-a421-b66d0b9b0e7f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:11:57.000Z" ,
"modified" : "2023-01-19T08:11:57.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.249.214.25']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:11:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--41b9f351-1bb3-4d8f-af7c-c018c050702b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:11:57.000Z" ,
"modified" : "2023-01-19T08:11:57.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '111.90.149.55']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:11:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--4d7b64e3-6e7c-4275-b082-8b80534015c9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:11:57.000Z" ,
"modified" : "2023-01-19T08:11:57.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.68.229.52']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:11:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--af9d8894-d05a-46d1-bfe6-8b478b30371a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:11:57.000Z" ,
"modified" : "2023-01-19T08:11:57.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '72.18.132.58']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:11:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--89f779a8-ac43-46cf-bf35-adae33af9936" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:11:57.000Z" ,
"modified" : "2023-01-19T08:11:57.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.36.78.135']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:11:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--486b2d2f-12bd-4741-ae46-5838f798a10a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:11:57.000Z" ,
"modified" : "2023-01-19T08:11:57.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.36.78.109']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:11:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--31150471-744f-47e5-9da9-9eceaac53ca4" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:14:13.000Z" ,
"modified" : "2023-01-19T08:14:13.000Z" ,
"description" : "Block the following domain" ,
"pattern" : "[domain-name:value = 'potrax.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:14:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b6801c1-e72e-4841-b908-fefce6cdf8cf" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:11:57.000Z" ,
"modified" : "2023-01-19T08:11:57.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.36.78.75']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:11:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--413ee0ee-1509-4d44-bddd-9bde85e92562" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:14:36.000Z" ,
"modified" : "2023-01-19T08:14:36.000Z" ,
"description" : "Malicious files to search for and remove:" ,
"pattern" : "[domain-name:value = 'ptx.app']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-19T08:14:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--852a38c1-d1b2-43c3-8781-23b8de71e1a1" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:10:25.000Z" ,
"modified" : "2023-01-19T08:10:25.000Z" ,
"labels" : [
"misp:name=\"report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "link" ,
"value" : "https://circleci.com/blog/jan-4-2023-incident-report/" ,
"category" : "External analysis" ,
"uuid" : "c342b42b-b831-4dd3-b01b-f496ec048e8b"
} ,
{
"type" : "text" ,
"object_relation" : "summary" ,
"value" : "On January 4, 2023, we alerted customers to a security incident. Today, we want to share with you what happened, what we\u2019ve learned, and what our plans are to continuously improve our security posture for the future.\r\n\r\nWe would like to thank our customers for your attention to rotating and revoking secrets, and apologize for any disruption this incident may have caused to your work. We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores. Additionally, we want to thank our customers and our community for your patience while we have been conducting a thorough investigation. In aiming for responsible disclosure, we have done our best to balance speed in sharing information with maintaining the integrity of our investigation." ,
"category" : "Other" ,
"uuid" : "2a8dc7bd-ec90-49b3-bfda-2117bd548733"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Report" ,
"category" : "Other" ,
"uuid" : "7d775b15-8637-4e98-a4bc-bd74a19ce591"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "report"
} ,
2023-05-19 09:05:37 +00:00
{
"type" : "note" ,
"spec_version" : "2.1" ,
"id" : "note--b2ec2f37-9bd6-4b0c-9c78-b6fef5b99260" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-19T08:12:25.000Z" ,
"modified" : "2023-01-19T08:12:25.000Z" ,
"abstract" : "Report from - https://circleci.com/blog/jan-4-2023-incident-report/ (1674115837)" ,
"content" : "Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"Twitter\") Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"LinkedIn\") Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"Facebook\") Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"Reddit\" ) > S h a r e o n H a c k e r N e w s \ r \ n \ r \ n \ r \ n O n J a n u a r y 4 , 2023 , w e a l e r t e d c u s t o m e r s t o a s e c u r i t y i n c i d e n t . T o d a y , w e w a n t t o s h a r e w i t h y o u w h a t h a p p e n e d , w h a t w e \ u 2019 v e l e a r n e d , a n d w h a t o u r p l a n s a r e t o c o n t i n u o u s l y i m p r o v e o u r s e c u r i t y p o s t u r e f o r t h e f u t u r e . \ r \ n \ r \ n W e w o u l d l i k e t o t h a n k o u r c u s t o m e r s f o r y o u r a t t e n t i o n t o r o t a t i n g a n d r e v o k i n g s e c r e t s , a n d a p o l o g i z e f o r a n y d i s r u p t i o n t h i s i n c i d e n t m a y h a v e c a u s e d t o y o u r w o r k . W e e n c o u r a g e c u s t o m e r s w h o h a v e y e t t o t a k e a c t i o n t o d o s o i n o r d e r t o p r e v e n t u n a u t h o r i z e d a c c e s s t o t h i r d - p a r t y s y s t e m s a n d s t o r e s . A d d i t i o n a l l y , w e w a n t t o t h a n k o u r c u s t o m e r s a n d o u r c o m m u n i t y f o r y o u r p a t i e n c e w h i l e w e h a v e b e e n c o n d u c t i n g a t h o r o u g h i n v e s t i g a t i o n . I n a i m i n g f o r r e s p o n s i b l e d i s c l o s u r e , w e h a v e d @ [ t a g ] ( o n e ) o u r b e s t t o b a l a n c e s p e e d i n s h a r i n g i n f o r m a t i o n w i t h m a i n t a i n i n g t h e i n t e g r i t y o f o u r i n v e s t i g a t i o n . \ r \ n \ r \ n # T h i s r e p o r t w i l l c o v e r @ [ t a g ] ( : ) \ r \ n \ r \ n \ r \ n * W h a t h a p p e n e d ? \ r \ n * H o w d o w e k n o w t h i s a t t a c k v e c t o r i s c l o s e d a n d i t \ u 2019 s s a f e t o b u i l d ? \ r \ n * C o m m u n i c a t i o n a n d s u p p o r t f o r c u s t o m e r s \ r \ n * H o w d o I k n o w i f I w a s i m p a c t e d ? \ r \ n * D e t a i l s t h a t m a y h e l p y o u r t e a m w i t h i n t e r n a l i n v e s t i g a t i o n s \ r \ n * W h a t w e l e a r n e d f r o m t h i s i n c i d e n t a n d w h a t w e w i l l d o n e x t \ r \ n * A n o t e o n e m p l o y e e r e s p o n s i b i l i t y v s . s y s t e m s s a f e g u a r d s \ r \ n * S e c u r i t y b e s t p r a c t i c e s \ r \ n * C l o s i n g t h o u g h t s \ r \ n \ r \ n # # W h a t h a p p e n e d ? \ r \ n \ r \ n * A l l d a t e s a n d t i m e s a r e r e p o r t e d i n U T C , u n l e s s o t h e r w i s e n o t e d . * \ r \ n \ r \ n O n D e c e m b e r 29 , @ [ t a g ] ( 2022 ) , w e w e r e a l e r t e d t o @ [ t a g ] ( s u s p i c i o u s ) G i t H u b O A u t h a c t i v i t y b y @ [ t a g ] ( o n e ) o f o u r c u s t o m e r s . T h i s n o t i f i c a t i o n k i c k e d o f f a d e e p e r r e v i e w b y C i r c l e C I \ u 2019 s s e c u r i t y t e a m w i t h G i t H u b . \ r \ n \ r \ n O n D e c e m b e r 30 , @ [ t a g ] ( 2022 ) , w e l e a r n e d t h a t t h i s c u s t o m e r \ u 2019 s G i t H u b O A u t h t o k e n h a d b e e n c o m p r o m i s e d b y a n u n a u t h o r i z e d t h i r d p a r t y . A l t h o u g h t h a t c u s t o m e r w a s a b l e t o q u i c k l y r e s o l v e t h e i s s u e , o u t o f a n a b u n d a n c e o f c a u t i o n , o n D e c e m b e r 31 , @ [ t a g ] ( 2022 ) , w e p r o a c t i v e l y i n i t i a t e d t h e p r o c e s s o f r o t a t i n g a l l G i t H u b O A u t h t o k e n s o n b e h a l f o f o u r c u s t o m e r s . D e s p i t e w o r k i n g w i t h G i t H u b t o i n c r e a s e A P I r a t e l i m i t s , t h e r o t a t i o n p r o c e s s t o o k t i m e . W h i l e i t w a s n o t c l e a r a t t h i s p o i n t w h e t h e r o t h e r c u s t o m e r s w e r e i m p a c t e d , w e c o n t i n u e d t o e x p a n d t h e s c o p e o f o u r a n a l y s i s . \ r \ n \ r \ n B y J a n u a r y 4 , 2023 , o u r i n t e r n a l i n v e s t i g a t i o n h a d d e t e r m i n e d t h e s c o p e o f t h e i n t r u s i o n b y t h e u n a u t h o r i z e d t h i r d p a r t y a n d t h e e n t r y p a t h o f t h e a t t a c k . T o d a t e , w e h a v e l e a r n e d t h a t a n u n a u t h o r i z e d t h i r d p a r t y l e v e r a g e d m a l w a r e d e p l o y e d t o a C i r c l e C I e n g i n e e r \ u 2019 s l a p t o p i n o r d e r t o s t e a l a v a l i d , 2 F A - b a c k e d S S O s e s s i o n . T h i s m a c h i n e w a s c o m p r o m i s e d o n D e c e m b e r 16 , @ [ t a g ] ( 2022 ) . T h e m a l w a r e w a s n o t d e t e c t e d b y o u r a n t i v i r u s s o f t w a r e . O u r i n v e s t i g a t i o n i n d i c a t e s t h a t t h e m a l w a r e w a s a b l e t o e x e c u t e s e s s i o n c o o k i e t h e f t , e n a b l i n g t h e m t o i m p e r s o n a t e t h e t a r g e t e d e m p l o y e e i n a r e m o t e l o c a t i o n a n d t h e n e s c a l a t e a c c e s s t o a s u b s e t o f o u r p r o d u c t i o n s y s t e m s . \ r \ n \ r \ n B e c a u s e t h e t a r g e t e d e m p l o y e e h a d p r i v i l e g e s t o g e n e r a t e p r o d u c t i o n a c c e s s t o k e n s a s p a r t o f t h e e m p l o y e e \ u 2019 s r e g u l a r d u t i e s , t h e u n a u t h o r i z e d t h i r d p a r t y w a s a b l e t o a c c e s s a n d e x f i l t r a t e @ [ t a g ] ( d a t a ) f r o m a s u b s e t o f @ [ t a g ] ( d a t a ) b a s e s a n d s t o r e s , i n c l u d i n g c u s t o m e r e n v i r o n m e n t v a r i a b l e s , t o k e n s , a n d k e y s . W e h a v e r e a s o n t o b e l i e v e t h a t t h e u n a u t h o r i z e d t h i r d p a r t y e n g a g e d i n r e c o n n a i s s a n c e a c t i v i t y o n D e c e m b e r 19 , @ [ t a g ] ( 2022 ) . O n D e c e m b e r 22 , @ [ t a g ] ( 2022 ) , e x f i l t r a t i o n o c c u r r e d , a n d t h a t i s o u r l a s t r e c o r d o f u n a u t h o r i z e d a c t i v i t y i n o u r p r o d u c t i o n s y s t e m s . T h o u g h a l l t h e @ [ t a g ] ( d a t a ) e x f i l t r a t e d w a s @ [ t a g ] ( e n c r y p t e d ) a t r e s t , t h e t h i r d p a r t y @ [ t a g ] ( e x t r a c t e d ) e n c r y p t i o n k e y s f r o m a r u n n i n g p r o c e s s , e n a b l i n g t h e m t o p o t e n t i a l l y a c c e s s t h e @ [ t a g ] ( e n c r y p t e d ) @ [ t a g ] ( d a t a ) . \ r \ n \ r \ n W h i l e w e a r e c o n f i d e n t i n
"object_refs" : [
2024-04-05 12:15:17 +00:00
"indicator--b0894935-86e3-49fe-99ee-767f8c551d84" ,
2024-08-07 08:13:15 +00:00
"indicator--5b6801c1-e72e-4841-b908-fefce6cdf8cf" ,
"indicator--4d7b64e3-6e7c-4275-b082-8b80534015c9" ,
"indicator--9ad02845-5cfb-4494-89b4-1c3795e3d5bb" ,
"indicator--fc6531ee-17f5-4f4e-94d8-25b1b355b14f" ,
"indicator--486b2d2f-12bd-4741-ae46-5838f798a10a" ,
"indicator--268efcdc-a235-4ef2-a421-b66d0b9b0e7f" ,
"indicator--89f779a8-ac43-46cf-bf35-adae33af9936" ,
2023-12-14 14:30:15 +00:00
"indicator--413ee0ee-1509-4d44-bddd-9bde85e92562" ,
2024-04-05 12:15:17 +00:00
"indicator--4f008530-bf04-458c-98fc-5b45a6ae66db" ,
2024-08-07 08:13:15 +00:00
"indicator--41b9f351-1bb3-4d8f-af7c-c018c050702b" ,
2023-12-14 14:30:15 +00:00
"indicator--9c1bc6dc-e391-46f5-bf31-dc501e06ddfb" ,
2024-08-07 08:13:15 +00:00
"indicator--31150471-744f-47e5-9da9-9eceaac53ca4" ,
"indicator--5eab642e-d3a5-4170-9aff-770721ce1f01" ,
"indicator--af9d8894-d05a-46d1-bfe6-8b478b30371a"
2023-05-19 09:05:37 +00:00
]
} ,
2023-04-21 14:44:17 +00:00
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
