<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Circleci - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/circleci/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 28 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/circleci/feed.xml" rel="self" type="application/rss+xml"/><item><title>CircleCI Security Step Disabled Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-circleci-security-disable/</link><pubDate>Sun, 28 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-circleci-security-disable/</guid><description>Detection of disabling security steps in CircleCI, potentially indicating an attempt to bypass security controls during the CI/CD process.</description><content:encoded><![CDATA[<p>This brief focuses on the detection of actions that disable security steps within CircleCI. While the specific actor remains unknown, the activity itself is indicative of a potential insider threat or compromised account attempting to weaken security measures. The goal could be to introduce malicious code, bypass security scans, or exfiltrate sensitive data without detection. By disabling security steps, attackers can create a blind spot, making it significantly harder to identify and prevent malicious activities within the CI/CD pipeline. This activity should be treated with a high degree of suspicion.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Compromise Account:</strong> An attacker gains unauthorized access to a CircleCI account with sufficient privileges to modify project settings.</li>
<li><strong>Identify Security Steps:</strong> The attacker enumerates the defined security steps within the CircleCI configuration files (e.g., <code>.circleci/config.yml</code>).</li>
<li><strong>Modify Configuration:</strong> The attacker modifies the CircleCI configuration files to disable specific security steps, such as vulnerability scanning, code analysis, or secret scanning.</li>
<li><strong>Commit Changes:</strong> The attacker commits the modified configuration files to the project's repository.</li>
<li><strong>Trigger Build:</strong> The changes trigger a new build in CircleCI, which now executes without the disabled security steps.</li>
<li><strong>Deploy Malicious Code (Optional):</strong> If the disabled security steps were intended to prevent the introduction of malicious code, the attacker may now introduce it without immediate detection.</li>
<li><strong>Exfiltration (Optional):</strong> If the disabled security steps were intended to prevent data exfiltration, the attacker can now potentially exfiltrate sensitive data.</li>
<li><strong>Maintain Persistence:</strong> The attacker might create backdoors or alter other configurations to maintain long-term access and control over the CI/CD pipeline.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack involving the disabling of security steps in CircleCI can lead to the introduction of vulnerabilities into production systems, data breaches, and supply chain attacks. The impact can range from defacement of websites to complete compromise of critical infrastructure. The number of victims can vary depending on the scope of the compromised CI/CD pipeline, from a single internal application to a widely distributed software product affecting thousands of users.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement multi-factor authentication (MFA) for all CircleCI accounts to mitigate account compromise (reference: any CircleCI documentation on MFA).</li>
<li>Monitor CircleCI audit logs for configuration changes that disable security-related steps (reference: CircleCI audit log documentation, implement detections based on modifications of <code>.circleci/config.yml</code>).</li>
<li>Implement the Sigma rule <code>Detect CircleCI Configuration Changes</code> to detect modifications of CircleCI config files.</li>
<li>Implement the Sigma rule <code>Detect CircleCI Disable Security Step</code> to detect disabling of security steps based on modifications to <code>.circleci/config.yml</code>.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>circleci</category><category>ci/cd</category><category>devops</category><category>security-bypass</category></item><item><title>CircleCI Security Step Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-circleci-security-disabled/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-circleci-security-disabled/</guid><description>An attacker disables security steps within CircleCI to potentially bypass security controls and introduce malicious code into the build pipeline.</description><content:encoded><![CDATA[<p>This threat brief addresses the potential risk of an attacker disabling security steps within a CircleCI configuration. While the provided source material does not describe a specific actor or campaign, the ability to manipulate CI/CD pipeline configurations is a known attack vector. By removing or altering security checks, an attacker can introduce vulnerabilities, inject malicious code, or exfiltrate sensitive information. This type of attack can be difficult to detect because it occurs within the trusted environment of the CI/CD system. The scope of targeting would likely focus on organizations that rely heavily on CircleCI for their software development and deployment processes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to the CircleCI project's configuration, potentially through compromised credentials or a vulnerability in the CircleCI platform itself.</li>
<li><strong>Configuration Modification:</strong> The attacker modifies the <code>.circleci/config.yml</code> file to remove or comment out security-related steps. This could include steps that run static analysis tools, vulnerability scanners, or code quality checks.</li>
<li><strong>Bypass Security Checks:</strong> With the security steps disabled, the build pipeline no longer enforces the intended security controls.</li>
<li><strong>Code Injection:</strong> The attacker introduces malicious code into the codebase, either directly or through a compromised dependency. This code could be designed to steal secrets, create backdoors, or perform other malicious activities.</li>
<li><strong>Automated Build and Deployment:</strong> The modified code is automatically built and deployed through the CI/CD pipeline.</li>
<li><strong>Compromise Production Environment:</strong> The malicious code is deployed to the production environment, allowing the attacker to gain unauthorized access to systems and data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful disabling of security steps in CircleCI can lead to significant consequences. An attacker could inject malicious code into production systems, potentially affecting thousands of users and causing severe financial and reputational damage. Stolen credentials, backdoors, and data breaches could be used for further attacks or sold on the dark web. The targeted sectors are broad, including any organization using CircleCI for software development, particularly those in sensitive industries like finance and healthcare. The impact could range from data theft and service disruption to complete system compromise.</p>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>circleci</category><category>ci/cd</category><category>security-bypass</category><category>supply-chain</category></item><item><title>CircleCI Security Job Disablement</title><link>https://feed.craftedsignal.io/briefs/2024-01-circleci-security-job-disable/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-circleci-security-job-disable/</guid><description>An attacker disables mandatory security jobs within CircleCI pipelines to bypass security checks, potentially leading to data breaches, system downtime, and compromised pipeline integrity.</description><content:encoded><![CDATA[<p>This threat brief addresses the risk of disabling security jobs within CircleCI pipelines. CircleCI, a popular CI/CD platform, is used by many organizations to automate their software development lifecycle. An attacker who gains sufficient privileges within a CircleCI organization could modify pipeline configurations to disable mandatory security jobs. This allows malicious code to bypass critical security checks, potentially introducing vulnerabilities into production environments. The impact could range from data breaches and system downtime to reputational damage. This brief outlines how detection engineers can proactively identify and respond to such attempts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains unauthorized access to a CircleCI user account or acquires sufficient permissions to modify pipeline configurations.</li>
<li><strong>Reconnaissance:</strong> The attacker identifies mandatory security jobs within the CircleCI workflows using the CircleCI UI or API, noting the <code>workflow_name</code> and associated <code>job_name</code>.</li>
<li><strong>Configuration Modification:</strong> The attacker modifies the CircleCI pipeline configuration (likely via the <code>.circleci/config.yml</code> file) to disable or bypass the identified mandatory security jobs. This might involve commenting out the job definition, removing it from the workflow, or adding conditions that prevent its execution.</li>
<li><strong>Code Commit:</strong> The attacker commits the modified configuration file to the associated Git repository, triggering a new pipeline execution. The <code>vcs.url</code> field provides the URL to the commit and related changes.</li>
<li><strong>Bypassed Security Checks:</strong> The pipeline executes without running the mandatory security jobs, allowing potentially malicious code to proceed through the CI/CD process unchecked.</li>
<li><strong>Deployment:</strong> The unchecked code is deployed to staging or production environments.</li>
<li><strong>Impact:</strong> Depending on the nature of the malicious code, the impact could include data breaches, system compromise, or service disruption.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful disabling of security jobs in CircleCI can have significant consequences. A single compromised pipeline could lead to the introduction of vulnerable code into production, impacting thousands of users and critical infrastructure. Potential damage includes data breaches, system downtime, reputational damage, and financial loss. Organizations in all sectors utilizing CircleCI for their CI/CD processes are at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to detect instances where mandatory security jobs are not executed within CircleCI workflows; tune the rule for your environment.</li>
<li>Investigate alerts triggered by the Sigma rule, focusing on the <code>user</code> and the specific <code>workflow_name</code> where the security job was disabled.</li>
<li>Review CircleCI access logs for suspicious account activity that might indicate unauthorized access.</li>
<li>Implement multi-factor authentication (MFA) for all CircleCI user accounts to reduce the risk of account compromise.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>circleci</category><category>devsecops</category><category>pipeline-security</category><category>cloud</category></item><item><title>CircleCI Security Job Disablement Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-circle-ci-security-job-disable/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-circle-ci-security-job-disable/</guid><description>Detection of activity related to disabling security jobs within CircleCI, potentially indicating an attempt to bypass security controls in a CI/CD pipeline.</description><content:encoded><![CDATA[<p>This brief focuses on detecting the disabling of security-related jobs within CircleCI, a popular CI/CD platform. While the specific method of disabling these jobs is not detailed in the provided source, the act itself can be a significant indicator of malicious activity. An attacker with sufficient privileges in a CircleCI environment may attempt to disable security jobs (e.g., static analysis, vulnerability scanning) to introduce malicious code into the software supply chain undetected. This could lead to compromised builds, deployment of vulnerable applications, and potential supply chain attacks. The 'circle_ci_disable_security_job.yml' file suggests that Splunk's security content library includes a specific detection rule tailored to this type of event.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Account Compromise/Privilege Escalation:</strong> The attacker gains unauthorized access to a CircleCI account or escalates privileges within a legitimate account. This could be achieved through phishing, credential stuffing, or exploiting vulnerabilities in the CircleCI platform itself.</li>
<li><strong>Authentication:</strong> The attacker authenticates to the CircleCI platform using compromised credentials or a session token.</li>
<li><strong>Project Enumeration:</strong> The attacker enumerates the projects and pipelines available within the CircleCI environment to identify targets of interest.</li>
<li><strong>Security Job Identification:</strong> The attacker identifies specific CircleCI jobs responsible for security-related tasks, such as SAST, DAST, or dependency scanning.</li>
<li><strong>Job Configuration Modification:</strong> The attacker modifies the configuration of the targeted security jobs. This could involve disabling the job entirely, removing it from the pipeline, or altering its execution parameters to bypass security checks.</li>
<li><strong>Code Integration (Optional):</strong> The attacker introduces malicious code into the build process. This step is not directly related to the job disablement, but is its likely motivation.</li>
<li><strong>Pipeline Execution:</strong> A build pipeline is triggered, now skipping the disabled security jobs and potentially integrating the malicious code into the final artifact.</li>
<li><strong>Deployment:</strong> The compromised artifact is deployed to production, resulting in a security breach.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack could allow an attacker to introduce malicious code into a software product, leading to widespread compromise of systems and data. The impact includes data breaches, service disruptions, and reputational damage. The specific number of victims depends on the reach of the compromised software. Organizations in various sectors relying on CircleCI for CI/CD are potential targets.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement the &quot;Detect CircleCI Security Job Disablement&quot; Sigma rule to detect unauthorized modifications to CircleCI job configurations.</li>
<li>Enable detailed audit logging within CircleCI to capture all configuration changes and API requests. Analyze these logs for suspicious activity.</li>
<li>Enforce multi-factor authentication (MFA) for all CircleCI accounts, especially those with administrative privileges.</li>
<li>Review and restrict CircleCI API token permissions to follow the principle of least privilege.</li>
<li>Regularly review CircleCI project configurations and user permissions to identify and remediate any unauthorized changes.</li>
<li>Utilize CircleCI's built-in security features, such as context variables and IP whitelisting, to further restrict access and prevent unauthorized modifications.</li>
<li>Investigate any alerts generated by the &quot;Detect CircleCI Security Job Disablement&quot; Sigma rule promptly to identify and mitigate potential security breaches.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>ci/cd</category><category>supply-chain</category><category>circleci</category></item></channel></rss>