Vercel CEO Guillermo Rauch, in an update today said that after scanning through petabytes of logs of the company’s networks and APIs, his security team concluded that the threat actor behind the Vercel breach had been active well beyond Context.ai’s compromise.
Rauch said that the “threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers. Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables.”
Researchers at Hudson Rock had earlier confirmed that the attack actually initiated in February itself when a Context.ai employee’s computer was infected with Lumma Stealer malware after they searched for Roblox game exploits, a common vector for infostealer deployments.
What the latest findings mean is that there could be a wider net of victims that the threat actor may have phished for and what we know is just the tip of the iceberg – or not.
Also read: Vercel Incident Linked to AI Tool Hack, Internal Access Gained
Vercel Finds Customers Breached in Separate Malware, Social Engineering Attacks
In an official update, the company also stated that initially it identified a limited subset of customers whose non-sensitive environment variables stored on Vercel were compromised. However, a deeper assessment of the their network, as well as environment variable read events in the company’s logs uncovered two additional findings.
“First, we have identified a small number of additional accounts that were compromised as part of this incident,” the company noted.
But the main concern is the next finding: “Second, we have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods.”
The company did not disclose who were the attackers, what was the motive, or the impact on customers, and is yet to respond to these queries from The Cyber Express. It only stated: “In both cases, we have notified the affected customers.”
Meanwhile, Rauch said, Vercel had notified other suspected victims and encouraged them to rotate credentials and adopt best practices.
