Hackers hacked CircleCi in December after an engineer was infected with information-stealing malware that their 2FA-backed SSO session cookie, allowing access to the company’s internal systems.

Earlier this month, CircleCi revealed that they suffered a security incident and warned customers to spin their tokens and secrets.

In a new security incident report on the attack, CircleCi says they first learned of the unauthorized access to their systems after a customer reported that their GitHub OAuth token had been compromised.

This compromise led CircleCi to automatically rotate GitHub OAuth tokens for its customers.

On January 4, an internal investigation concluded that an engineer had been infected on December 16 with information-stealing malware that the company’s anti-virus software had not detected.

This malware was able to steal a corporate session cookie that had previously been authenticated via 2FA, allowing the threat actor to log in as a user without having to re-authenticate via 2FA.

“Our investigation indicates that the malware was able to execute the theft of session cookies, allowing them to impersonate the targeted employee in a remote location, and then increasing access to a subset of our security systems. production”, explains the new head of CircleCi. incident report.

Using engineer privileges, CircleCi claims the hacker began stealing data on December 22 from certain company databases and stores, including environment variables, tokens and customer keys.

While CircleCi encrypted data at rest, the hacker also stole encryption keys by flushing them from running processes, potentially allowing the threat actor to decrypt the encrypted and stolen data.

After learning of the data theft, the company began alerting customers via email of the incident, warning them to rotate all tokens and secrets if they logged in between December 21, 2022 and December 4. January 2023.

In response to the attack, CircleCi says they spun all tokens associated with their customers, including project API tokens, personal API tokens, and GitHub OAuth tokens. The company has also worked with Atlassian and AWS to notify customers of potentially compromised Bitbucket tokens and AWS tokens.

To further strengthen their infrastructure, CircleCi claims to have added further detections of the behavior exhibited by information-stealing malware to their anti-virus and mobile device management (MDM) systems.

The company also further restricted access to its production environments to a smaller subset of people and tightened the security of its 2FA implementation.

MFA under attack

The CircleCi incident report is another example of the increased targeting of multi-factor authentication by threat actors.

From information-stealing malware to phishing attacks, threat actors typically seek out corporate credentials.

For this reason, the company has increasingly embraced MFA to prevent access to corporate systems, even if those credentials are stolen.

However, with this increased adoption, hackers are developing tactics to circumvent MFA, such as stealing session cookies already authenticated with MFA or using MFA Fatigue Attacks.

These attacks have proven to be highly effective in breaching large corporate networks, including recent cyberattacks against Microsoft, Cisco, Uberand now CircleCi.

While it’s still essential to use MFA, it’s equally important to properly configure these platforms to detect when a session cookie is used in a new location and then require additional MFA validation.

Additionally, Microsoft and Duo advise administrators to enable new features such as MFA Number Matchingalso known as Thrust verified in Duo, to protect against logins using stolen credentials.