Hackers breached CircleCi in December after an engineer became infected with information-stealing malware that their 2FA-backed SSO session cookie, allowing access to the company’s internal systems.
Earlier this month, CircleCi disclosed that they suffered a security incident and warned customers to rotate their tokens and secrets.
In a new security incident report on the attack, CircleCi says they first learned of the unauthorized access to their systems after a customer reported that their GitHub OAuth token had been compromised.
This compromise led to CircleCi automatically rotating the GitHub OAuth tokens for its customers.
On January 4th, an internal investigation concluded that an engineer had become infected on December 16th with information-stealing malware that the company’s antivirus software did not detect.
This malware was able to steal a corporate session cookie that had already been authenticated via 2FA, allowing the threat actor to log in as the user without having to authenticate via 2FA again.
“Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems,” explains CircleCi’s new incident report.
Using the engineer’s privileges, CircleCi says the hacker began stealing data on December 22nd from some of the company’s databases and stores, including customer’s environment variables, tokens, and keys.
While CircleCi encrypted the data at rest, the hacker also stole encryption keys by dumping them from running processes, potentially allowing the threat actor to decrypt the encrypted, stolen data.
After learning of the data theft, the company began alerting customers via email about the incident, warning them to rotate all tokens and secrets if they had logged in between December 21st, 2022, and January 4th, 2023.
In response to the attack, CircleCi says they rotated all tokens associated with their customers, including Project API Tokens, Personal API Tokens, and GitHub OAuth tokens. The company also worked with Atlassian and AWS to notify customers of possibly compromised Bitbucket tokens and AWS tokens.
To further strengthen their infrastructure, CircleCi says they added further detections for the behavior exhibited by the information-stealing malware to their antivirus and mobile device management (MDM) systems.
The company also further restricted access to its production environments to a smaller subset of people and increased the security of its 2FA implementation.
MFA under attack
CircleCi’s incident report is another example of the increased targeting of multi-factor authentication by threat actors.
Whether through information-stealing malware or phishing attacks, threat actors commonly seek corporate credentials.
For this reason, the enterprise has increasingly adopted MFA to prevent access to corporate systems, even if those credentials are stolen.
However, with this increased adoption, threat actors are evolving tactics to bypass MFA, such as stealing session cookies already authenticated against MFA or using MFA Fatigue attacks.
These attacks have proven very successful in breaching large corporate networks, including recent cyberattacks against Microsoft, Cisco, Uber, and now CircleCi.
While it is still vital to use MFA, it is equally important to properly configure these platforms to detect when a session cookie is used in a new location and then request further MFA validation.
Furthermore, Microsoft and Duo are advising admins to enable newer features such as MFA number matching, also known as Verified Push in Duo, to help protect against logins using stolen credentials.