CircleCI Incident Highlights Cloud Platform Querying Struggles for Compromised Credentials

On January 4, 2023 CircleCI reported a security incident had occurred. CircleCI recommended, “out of an abundance of caution … to immediately rotate any and all secrets stored in CircleCI.” It was assumed that a hardcoded access ID associated with CircleCI was being used to perform unauthorized actions within CircleCI customers’ cloud environments, such as creating new users, access keys, cloud instances, and serverless functions, as well as modifying existing cloud resources.

On January 12, 2023, CircleCI released an update to the security alert stating they’re working with AWS to notify customers impacted by this security incident. The security alert, and the subsequent update, from CircleCI represent a unique opportunity to demonstrate the effectiveness of the Prisma Cloud platform in querying cloud service provider (CSP) environments for evidence of activity originating from suspicious access keys within their CSPs. All within a single RQL query.

 

Compromised CSP Access Keys: Detecting Operations

Prisma Cloud can assist in the identification process of detecting operations taking place as the result of suspicious or compromised CSP access keys. These keys could perform a number of suspicious operations, such as creating new access keys, users, VM instances, serverless functions, IAM policy roles and groups, and several other operations. Using the following Prisma Cloud RQL query string will allow internal security personnel to identify if any of their CSP environments have witnessed these types of operations:

 

Suspicious Operation RQL Query

event from cloud.audit_logs where operation IN ('ModifyInstanceAttribute', 'CreateFunction', 'CreateFunction20150331', 'CreateFunction2020_05_31', 'UpdateFunction', 'UpdateFunction2020_05_31', 'UpdateFunctionCode20150331', 'UpdateFunctionCode20150331v2', 'CreateUser', 'CreateAccessKey', 'CreateLoginProfile', 'UpdateLoginProfile', 'ImportKeyPair', 'RunInstances', 'StartSession', 'SendCommand', 'google.iam.admin.v1.CreateServiceAccountKey', 'google.cloud.functions.v1.CloudFunctionsService.CreateFunction', 'google.cloud.functions.v1beta2.CloudFunctionsService.CreateFunction', 'google.cloud.functions.v1.CloudFunctionsService.UpdateFunction', 'google.cloud.functions.v1beta2.CloudFunctionsService.UpdateFunction', 'v1.compute.instances.setMetadata', 'beta.compute.instances.setMetadata', 'Create or update custom role definition (EndRequest)', 'Create a virtual machine (BeginRequest)', 'Create API operation or Update API operation (BeginRequest)', 'Create Deployment (BeginRequest)', 'Create an Azure Automation job (BeginRequest)', 'Create group or Update group (BeginRequest)', 'Create Job (BeginRequest)', 'Add or modify virtual machines. (BeginRequest)', 'blobServices/containers/write (BeginRequest)' ) AND subject IN ( 'Account Name' )

 

Identify All Access Keys or Group IDs

To identify the access key or group IDs within a given CSP, the following RQL queries can assist:

 

AWS Environments

config from cloud.resource where api.name = 'aws-iam-list-access-keys' AND json.rule = accessKeyId is not empty addcolumn userName

 

Google Cloud Environments

config from cloud.resource where api.name = 'gcloud-iam-service-accounts-list' AND json.rule = uniqueId exists addcolumn email

 

Azure Environments

config from cloud.resource where api.name = 'azure-active-directory-iam-group' AND json.rule = groupId is not empty addcolumn groupName

 

These three Prisma Cloud RQL queries will identify each user account, as well as their associated access key (AWS), UniqueID (gcloud) and Group ID (Azure) within the given CSP. The resulting list of user accounts will allow researchers to identify the specific actions these user accounts have taken. Researchers can grab the query results and insert those values into the previous Suspicious Operations RQL Query in the following format: 'useraccount #1', 'useraccount #2', 'useraccount #3', etc.

By combining both the access key and group ID RQL queries with the suspicious operation RQL query, Prisma Cloud removes the barrier of having to query each CSP individually to identify if a known or suspected AccessKey is performing erratically. This will create assist-security teams to identify suspicious access key operations within their cloud environments.

 

Learn More About Prisma Cloud & Rapid Response Situations

The CircleCI incident exposes a detection angle that Prisma Cloud is able to identify quickly and efficiently using its native RQL query language within the Prisma Cloud UI. It eliminates the need for users to navigate to their CSP and perform unique queries specific to that CSP to identify if a single access key is performing the suspicious activity.

A single RQL within the Prisma Cloud UI will query multiple cloud environments, saving time and resources for security teams.