Corvus Threat Intel
Breach at Slack, Breach at CircleCI, & Unpatched Vulnerability Behind Rackspace Ransomware Outage
Breach at Slack, breach at CircleCI, and unpatched Microsoft Exchange causes ransomware incident.
Slack Hit by Security Breach
Slack, a popular enterprise messaging service, reported a security breach over the holidays. According to Slack, customers were not affected. The company reported that the incident began on December 27th when a threat actor gained unauthorized access to Slack’s GitHub account. Here's a quick rundown of what happened:
- Threat actor gained access to Slack GitHub repositories using stolen employee tokens
- TA downloaded code from private repositories on December 27th, 2022
- Slack was alerted to suspicious GitHub activity on December 29th, 2022
- Slack invalidated the stolen tokens
The messaging service reported that no production environments were accessed and the threat actor did not access other Slack resources or customer data. This was not a result of any vulnerability in Slack products so customers do not need to perform any actions.
Why This Matters
A number of recent high-profile breaches have highlighted an emerging pattern of risk around software development practices. It’s not clear how threat actors stole Slack employee GitHub tokens, but we know from recent experience that phishing and publicly-exposed secrets are two of the main culprits.
CircleCI also Reports a Breach and Warns Customers to Rotate Secrets
Software development service, CircleCI, has also reported a security incident and is warning customers to rotate all secrets stored in or connected to CircleCI as soon as possible. No details of the incident have been reported as CircleCI and third-party firms are still investigating. The service is still usable and no outages have been reported, according to the company. As of the latest update, CircleCI:
- Has rotated all production machines and cycled all access keys.
- Has completed an audit of all system access.
- Is actively working with third-party investigators and partners to validate the steps and actions of the investigation.
Expect more details on this incident to be released in the coming days and weeks. In the meantime, customers of CircleCI should see the detailed guidance on rotating secrets and take action as soon as possible.
Why This Matters
If CircleCI is part of your development process then you should take notice of this security incident. Especially without more details on the incident itself, rotating secrets stored in or connected to CircleCI is a good step to mitigate potential risk to your organization. If it turns out that threat actors were able to gain access to customer data, secrets that aren’t rotated could be like intruders finding a key to your house. Be proactive and take action until more details on this incident come to light.
- CircleCI security alert: Rotate any secrets stored in CircleCI (Updated Jan 7)
- CircleCI warns of security breach — rotate your secrets (BleepingComputer)
Rackspace Ransomware Outage a Result of Unpatched Microsoft Exchange
We previously reported on and warned affected Corvus policyholders of a ransomware attack against Rackspace Technologies. New details have emerged on the attack’s perpetrator and root cause. The ransomware group behind the attack turned out to be relative newcomer, PLAY, which first arrived on the ransomware scene in June 2022. Attackers were able to gain access to Rackspace’s Microsoft Exchange environment by exploiting vulnerabilities announced in September, nicknamed “ProxyNotShell”. While the threat actors used a novel technique to exploit the vulnerabilities, they and the security patches to fix them have been available for a number of weeks.
Why This Matters
If it wasn’t already clear just how important vulnerability management is, take this as a case study. It can feel like a race against the clock to patch vulnerabilities before attackers are able to figure out how to exploit them. That’s because it is. Develop a plan to stay on top of vulnerabilities and regularly apply the latest security patches to avoid large-scale ransomware attacks.
This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.