CircleCI hack: Malware steals engineer’s 2FA-backed session

CircleCi was breached by hackers in December. An engineer infected by information-stealing malware via their 2FA-backed SSO session cookies, which allowed them access to company systems.

CircleCi revealed earlier this month that they , and advised customers to change their secrets and tokens.

CircleCi has released a security incident report that details the attack. They claim they were first alerted by a customer who reported their GitHub OAuth token was compromised.

CircleCi was able to automatically rotate the GitHub OAuth tokens in this compromise for its customers.

An internal investigation revealed that an engineer was infected with malware designed to steal information. The company’s anti-virus software failed to detect the infection.

The malware could steal the corporate session cookie, which had been validated via 2FA. This allowed the threat actor the ability to login as the user and not have to authenticate again via 2FA.

CircleCi’s explains that “our investigation suggests that the malware could execute session cookie theft. This enabled them to impersonate a targeted employee at a remote place and then escalate access rights to a subset our production systems.”

CircleCi claims that the hacker started stealing data from the company’s stores and databases on December 22nd using engineer privileges. This includes customer environment variables and keystrokes.

CircleCi encrypted data at rest. However, the hacker stole encryption keys from running processes. This could allow the threat actor access to the stolen encrypted data.

The company learned of data theft and began to notify customers by email. They warned them that all secrets and tokens they had stored between December 21st 2022 and January 4th 2023 would be lost.

CircleCi claims that they have rearranged all tokens linked to their customers in response to the attack. This includes Project API Tokens and Personal API Tokens as well as GitHub OAuth tokens. Atlassian and AWS were also involved in the notification of Bitbucket tokens or AWS tokens that might have been compromised.

CircleCi added additional detections to the antivirus and mobile device management systems (MDM) in order to strengthen their infrastructure.

Additionally, the company restricted access to production areas to a subset of employees and increased security for its 2FA implementation.

MFA under attack

CircleCi’s Incident Report is another example showing how threat actors are increasing their targeting multi-factor authentication.

Threat actors often seek out corporate credentials, whether they are using information-stealing malware and phishing attacks.

To prevent unauthorized access to company systems even when credentials have been stolen, MFA has become a more common practice in the enterprise.

However, this adoption has led to threat actors devising new tactics to circumvent MFA. These include stealing session cookies that have been authenticated against MFA and using .

These cyberattacks have been very successful in breaking into large corporate networks. They include recent attacks against and . was also attacked.

It is important that MFA is not abandoned. However, these platforms must be properly configured to recognize when session cookies are being used at a new place and request additional MFA validation.

Duo and Microsoft are also advising administrators to enable newer features like (also known as ) to protect against stolen credentials.