Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Cisco’s CI/CD Pipeline Weaknesses:Hard-Coded Credentials & Misconfigurations Revealed
Posted on: 16 Oct 2024 | Author: Foresiet
Introduction
In recent weeks, reports have surfaced regarding a significant breach involving Cisco, exposing sensitive data from various organizations. This blog post delves into the details of the breach, the compromised data, the implicated companies, and the methods used by attackers to gain access to such critical information.
Overview of the Breach
The breach, which dates back to June 10, 2024, has revealed a treasure trove of compromised data, including:
- GitHub Projects
- GitLab Projects
- SonarQube Projects
- Source Code
- Hard-Coded Credentials
- Certificates
- Customer Source Code Repositories (SRCs)
- Cisco Confidential Documents
- Jira Tickets
- API Tokens
- AWS Private Buckets
- Docker Builds
- Azure Storage Buckets
- Private and Public Keys
- SSL Certificates
- Cisco Premium Products
several major companies have reportedly had their production source codes taken, including Verizon, AT&T, and AT&T Mexico.
Evidence of the Breach: Screenshots and Samples
The samples confirm the leak of internal systems like Jenkins, and likely indicate that attackers had extensive access to Cisco’s internal development tools, which allowed them to download source code and customer-related information. This breach may also compromise those customers, whose details are listed here, exposing them to targeted attacks or further exploitation.
This breach appears to be an older compromise, likely originating from 2019 based on the Jenkins build timestamp and the outdated contract details. The attackers seem to have accessed Cisco’s CI/CD pipeline (Jenkins), likely through misconfigurations, credential theft, or exploiting vulnerabilities in the Jenkins environment or other integrated tools like SonarQube and cloud services. They may have had long-term access, exfiltrating sensitive data such as source codes, credentials, and customer contracts.
While the breach may have occurred years ago, the data has likely resurfaced recently on the dark web for sale, indicating the attackers are trying to profit from it now. This highlights the importance of securing internal systems and monitoring the dark web for leaked data, even long after an initial breach.
CI/CD Pipeline Vulnerabilities: Exposure of Source Code, Credentials, and Sensitive Data
The breach in Cisco’s CI/CD pipeline exposed several critical vulnerabilities within their Jenkins system. One key issue was the exposure of sensitive GitHub repositories. The Jenkins configuration contained URLs to private repositories, making them vulnerable to unauthorized access, especially if credentials were compromised.
Another significant flaw was the presence of hard-coded credentials within the Jenkins files. These credentials, embedded in the configuration, could allow attackers direct access to repositories, cloud services, and internal systems, posing a serious security risk.
The use of Jenkins to deploy AWS resources revealed misconfigurations in cloud services. If AWS buckets and other cloud infrastructure were inadequately secured, attackers could access sensitive data, such as API tokens, customer information, and more.
Moreover, the Jenkins job management lacked essential security controls. The absence of proper encryption, access control, and secure job triggers made it easier for attackers to manipulate build jobs and access sensitive deployment details, such as SSL certificates and Docker builds.
Finally, the reuse of credentials across different services further weakened security. If the same credentials were reused across multiple systems, attackers could escalate their access, compromising more than just the initial system. This breach underscores the need for stronger CI/CD security practices, including multi-factor authentication and better credential management
Possible Method Behind the Breach
The attackers likely exploited misconfigurations and vulnerabilities within Cisco’s CI/CD pipeline, particularly targeting Jenkins. Analysis of a Jenkins configuration file reveals several critical points:
- Exposed GitHub Repository: The configuration includes URLs to private repositories, which, if compromised, could lead to unauthorized access to source code and sensitive project information.
- Credential Management: The presence of fields indicates stored credentials used for authenticating with external services. Attackers could exploit these credentials to gain access to other systems or services.
- Cloud Deployment Vulnerabilities: The usage of cloud deployment plugins, specifically for AWS, suggests that attackers could potentially access and manipulate cloud resources if they obtained these credentials.
- Long-Term Access: Given the age of some configurations (dating back to 2019), attackers may have established long-term access to the internal systems, allowing for sustained exfiltration of sensitive data.
The Dark Web Connection
As this information resurfaces on the dark web, it’s evident that attackers are looking to profit from older breaches. This underscores the importance of organizations continuously monitoring for leaked data and ensuring their internal systems are secure.
Conclusion
The Foresiet research team is conducting a thorough analysis of this data breach to understand its full impact and implications. As part of our investigation, we shared a file tree of the allegedly stolen data with Nokia, seeking confirmation on whether the data originated from their systems. However, we have yet to receive a response.
Our ongoing research aims to uncover additional insights and identify critical areas for strengthening security measures. We are committed to providing a comprehensive view of the risks posed by this leak and offering actionable guidance to help organizations protect themselves against similar threats.
Stay connected with Foresiet for further updates, as we continue our investigation and work toward a more secure digital landscape. We will share relevant insights and recommendations as more information becomes available, helping organizations enhance their resilience against data breaches.
About Foresiet!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.