{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/circleci/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CircleCI"],"_cs_severities":["medium"],"_cs_tags":["circleci","ci/cd","devops","security-bypass"],"_cs_type":"advisory","_cs_vendors":["CircleCI"],"content_html":"\u003cp\u003eThis brief focuses on the detection of actions that disable security steps within CircleCI. While the specific actor remains unknown, the activity itself is indicative of a potential insider threat or compromised account attempting to weaken security measures. The goal could be to introduce malicious code, bypass security scans, or exfiltrate sensitive data without detection. By disabling security steps, attackers can create a blind spot, making it significantly harder to identify and prevent malicious activities within the CI/CD pipeline. This activity should be treated with a high degree of suspicion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCompromise Account:\u003c/strong\u003e An attacker gains unauthorized access to a CircleCI account with sufficient privileges to modify project settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Security Steps:\u003c/strong\u003e The attacker enumerates the defined security steps within the CircleCI configuration files (e.g., \u003ccode\u003e.circleci/config.yml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModify Configuration:\u003c/strong\u003e The attacker modifies the CircleCI configuration files to disable specific security steps, such as vulnerability scanning, code analysis, or secret scanning.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommit Changes:\u003c/strong\u003e The attacker commits the modified configuration files to the project's repository.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTrigger Build:\u003c/strong\u003e The changes trigger a new build in CircleCI, which now executes without the disabled security steps.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Malicious Code (Optional):\u003c/strong\u003e If the disabled security steps were intended to prevent the introduction of malicious code, the attacker may now introduce it without immediate detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Optional):\u003c/strong\u003e If the disabled security steps were intended to prevent data exfiltration, the attacker can now potentially exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMaintain Persistence:\u003c/strong\u003e The attacker might create backdoors or alter other configurations to maintain long-term access and control over the CI/CD pipeline.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack involving the disabling of security steps in CircleCI can lead to the introduction of vulnerabilities into production systems, data breaches, and supply chain attacks. The impact can range from defacement of websites to complete compromise of critical infrastructure. The number of victims can vary depending on the scope of the compromised CI/CD pipeline, from a single internal application to a widely distributed software product affecting thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all CircleCI accounts to mitigate account compromise (reference: any CircleCI documentation on MFA).\u003c/li\u003e\n\u003cli\u003eMonitor CircleCI audit logs for configuration changes that disable security-related steps (reference: CircleCI audit log documentation, implement detections based on modifications of \u003ccode\u003e.circleci/config.yml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect CircleCI Configuration Changes\u003c/code\u003e to detect modifications of CircleCI config files.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect CircleCI Disable Security Step\u003c/code\u003e to detect disabling of security steps based on modifications to \u003ccode\u003e.circleci/config.yml\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-circleci-security-disable/","summary":"Detection of disabling security steps in CircleCI, potentially indicating an attempt to bypass security controls during the CI/CD process.","title":"CircleCI Security Step Disabled Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-circleci-security-disable/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CircleCI"],"_cs_severities":["medium"],"_cs_tags":["circleci","ci/cd","security-bypass","supply-chain"],"_cs_type":"advisory","_cs_vendors":["CircleCI"],"content_html":"\u003cp\u003eThis threat brief addresses the potential risk of an attacker disabling security steps within a CircleCI configuration. While the provided source material does not describe a specific actor or campaign, the ability to manipulate CI/CD pipeline configurations is a known attack vector. By removing or altering security checks, an attacker can introduce vulnerabilities, inject malicious code, or exfiltrate sensitive information. This type of attack can be difficult to detect because it occurs within the trusted environment of the CI/CD system. The scope of targeting would likely focus on organizations that rely heavily on CircleCI for their software development and deployment processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to the CircleCI project's configuration, potentially through compromised credentials or a vulnerability in the CircleCI platform itself.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration Modification:\u003c/strong\u003e The attacker modifies the \u003ccode\u003e.circleci/config.yml\u003c/code\u003e file to remove or comment out security-related steps. This could include steps that run static analysis tools, vulnerability scanners, or code quality checks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass Security Checks:\u003c/strong\u003e With the security steps disabled, the build pipeline no longer enforces the intended security controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection:\u003c/strong\u003e The attacker introduces malicious code into the codebase, either directly or through a compromised dependency. This code could be designed to steal secrets, create backdoors, or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAutomated Build and Deployment:\u003c/strong\u003e The modified code is automatically built and deployed through the CI/CD pipeline.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompromise Production Environment:\u003c/strong\u003e The malicious code is deployed to the production environment, allowing the attacker to gain unauthorized access to systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of security steps in CircleCI can lead to significant consequences. An attacker could inject malicious code into production systems, potentially affecting thousands of users and causing severe financial and reputational damage. Stolen credentials, backdoors, and data breaches could be used for further attacks or sold on the dark web. The targeted sectors are broad, including any organization using CircleCI for software development, particularly those in sensitive industries like finance and healthcare. The impact could range from data theft and service disruption to complete system compromise.\u003c/p\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-circleci-security-disabled/","summary":"An attacker disables security steps within CircleCI to potentially bypass security controls and introduce malicious code into the build pipeline.","title":"CircleCI Security Step Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-circleci-security-disabled/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CircleCI"],"_cs_severities":["high"],"_cs_tags":["circleci","devsecops","pipeline-security","cloud"],"_cs_type":"advisory","_cs_vendors":["CircleCI"],"content_html":"\u003cp\u003eThis threat brief addresses the risk of disabling security jobs within CircleCI pipelines. CircleCI, a popular CI/CD platform, is used by many organizations to automate their software development lifecycle. An attacker who gains sufficient privileges within a CircleCI organization could modify pipeline configurations to disable mandatory security jobs. This allows malicious code to bypass critical security checks, potentially introducing vulnerabilities into production environments. The impact could range from data breaches and system downtime to reputational damage. This brief outlines how detection engineers can proactively identify and respond to such attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains unauthorized access to a CircleCI user account or acquires sufficient permissions to modify pipeline configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies mandatory security jobs within the CircleCI workflows using the CircleCI UI or API, noting the \u003ccode\u003eworkflow_name\u003c/code\u003e and associated \u003ccode\u003ejob_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration Modification:\u003c/strong\u003e The attacker modifies the CircleCI pipeline configuration (likely via the \u003ccode\u003e.circleci/config.yml\u003c/code\u003e file) to disable or bypass the identified mandatory security jobs. This might involve commenting out the job definition, removing it from the workflow, or adding conditions that prevent its execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Commit:\u003c/strong\u003e The attacker commits the modified configuration file to the associated Git repository, triggering a new pipeline execution. The \u003ccode\u003evcs.url\u003c/code\u003e field provides the URL to the commit and related changes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypassed Security Checks:\u003c/strong\u003e The pipeline executes without running the mandatory security jobs, allowing potentially malicious code to proceed through the CI/CD process unchecked.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeployment:\u003c/strong\u003e The unchecked code is deployed to staging or production environments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Depending on the nature of the malicious code, the impact could include data breaches, system compromise, or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful disabling of security jobs in CircleCI can have significant consequences. A single compromised pipeline could lead to the introduction of vulnerable code into production, impacting thousands of users and critical infrastructure. Potential damage includes data breaches, system downtime, reputational damage, and financial loss. Organizations in all sectors utilizing CircleCI for their CI/CD processes are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect instances where mandatory security jobs are not executed within CircleCI workflows; tune the rule for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule, focusing on the \u003ccode\u003euser\u003c/code\u003e and the specific \u003ccode\u003eworkflow_name\u003c/code\u003e where the security job was disabled.\u003c/li\u003e\n\u003cli\u003eReview CircleCI access logs for suspicious account activity that might indicate unauthorized access.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all CircleCI user accounts to reduce the risk of account compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-circleci-security-job-disable/","summary":"An attacker disables mandatory security jobs within CircleCI pipelines to bypass security checks, potentially leading to data breaches, system downtime, and compromised pipeline integrity.","title":"CircleCI Security Job Disablement","url":"https://feed.craftedsignal.io/briefs/2024-01-circleci-security-job-disable/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CircleCI"],"_cs_severities":["medium"],"_cs_tags":["ci/cd","supply-chain","circleci"],"_cs_type":"advisory","_cs_vendors":["CircleCI"],"content_html":"\u003cp\u003eThis brief focuses on detecting the disabling of security-related jobs within CircleCI, a popular CI/CD platform. While the specific method of disabling these jobs is not detailed in the provided source, the act itself can be a significant indicator of malicious activity. An attacker with sufficient privileges in a CircleCI environment may attempt to disable security jobs (e.g., static analysis, vulnerability scanning) to introduce malicious code into the software supply chain undetected. This could lead to compromised builds, deployment of vulnerable applications, and potential supply chain attacks. The 'circle_ci_disable_security_job.yml' file suggests that Splunk's security content library includes a specific detection rule tailored to this type of event.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise/Privilege Escalation:\u003c/strong\u003e The attacker gains unauthorized access to a CircleCI account or escalates privileges within a legitimate account. This could be achieved through phishing, credential stuffing, or exploiting vulnerabilities in the CircleCI platform itself.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker authenticates to the CircleCI platform using compromised credentials or a session token.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProject Enumeration:\u003c/strong\u003e The attacker enumerates the projects and pipelines available within the CircleCI environment to identify targets of interest.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecurity Job Identification:\u003c/strong\u003e The attacker identifies specific CircleCI jobs responsible for security-related tasks, such as SAST, DAST, or dependency scanning.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eJob Configuration Modification:\u003c/strong\u003e The attacker modifies the configuration of the targeted security jobs. This could involve disabling the job entirely, removing it from the pipeline, or altering its execution parameters to bypass security checks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Integration (Optional):\u003c/strong\u003e The attacker introduces malicious code into the build process. This step is not directly related to the job disablement, but is its likely motivation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePipeline Execution:\u003c/strong\u003e A build pipeline is triggered, now skipping the disabled security jobs and potentially integrating the malicious code into the final artifact.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeployment:\u003c/strong\u003e The compromised artifact is deployed to production, resulting in a security breach.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could allow an attacker to introduce malicious code into a software product, leading to widespread compromise of systems and data. The impact includes data breaches, service disruptions, and reputational damage. The specific number of victims depends on the reach of the compromised software. Organizations in various sectors relying on CircleCI for CI/CD are potential targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the \u0026quot;Detect CircleCI Security Job Disablement\u0026quot; Sigma rule to detect unauthorized modifications to CircleCI job configurations.\u003c/li\u003e\n\u003cli\u003eEnable detailed audit logging within CircleCI to capture all configuration changes and API requests. Analyze these logs for suspicious activity.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all CircleCI accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eReview and restrict CircleCI API token permissions to follow the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eRegularly review CircleCI project configurations and user permissions to identify and remediate any unauthorized changes.\u003c/li\u003e\n\u003cli\u003eUtilize CircleCI's built-in security features, such as context variables and IP whitelisting, to further restrict access and prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026quot;Detect CircleCI Security Job Disablement\u0026quot; Sigma rule promptly to identify and mitigate potential security breaches.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-circle-ci-security-job-disable/","summary":"Detection of activity related to disabling security jobs within CircleCI, potentially indicating an attempt to bypass security controls in a CI/CD pipeline.","title":"CircleCI Security Job Disablement Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-02-circle-ci-security-job-disable/"}],"language":"en","title":"CraftedSignal Threat Feed - CircleCI","version":"https://jsonfeed.org/version/1.1"}