News about CircleCI being a target of a cybersecurity hack surfaced in the first week of January, warning customers to rotate their secrets and review internal system logs for suspicious activities. CircleCI said it was detected after a customer reported unauthorised system access in their GitHub OAuth token.
After the initial investigation, the software company revealed that one of their engineers was infected by an infostealer malware, resulting in the theft of a corporate session cookie. This stolen session allowed the hacker to access the engineer’s corporate computer without having to authenticate via 2FA.
The CircleCI hack was completed after the threat actors abused the stolen session cookie and escalated their access inside the corporate network.
According to the latest released incident report of CircleCI concerning the hack, they explained that the threat actors had escalated their admin access to a subset of the company’s production systems after successfully leveraging the hijacked session cookie.
On December 22, the hackers started collecting valuable data from CircleCI’s databases, including customers’ tokens, keys, and environment variables. Moreover, the hackers also stole encryption keys that allowed them to decrypt several encrypted corporate data.
Thus, all customers are immediately warned and instructed to rotate their secrets and tokens, especially if they logged in to their accounts between December 21, 2022, and January 4, 2023. CircleCI also automatically rotated all customer-associated tokens and teamed up with Atlassian and AWS to alert their respective clients of possible BitBucket and AWS tokens compromise.
As a part of the software company’s abundance of caution, they implemented additional detection mechanisms against infostealer malware, restricted access to production systems to a smaller group of authorised personnel, and heightened their 2FA implementation security.
Security researchers are concerned about the increasing attacks involving MFAs. These MFA bypassing campaigns are mostly geared towards corporate credential theft, whether launched through malware or phishing.
While MFA implementation is crucial for a company’s cybersecurity, hackers have somehow acquired methods to bypass them. Stealing session cookies and MFA Fatigue attacks are two of the most common tactics hackers use to gain access to corporate systems. Some notable breach incidents related to this campaign were launched on Microsoft, Uber, Cisco, and CircleCI.
Analysts believe that even if MFA is activated in a corporate system, it still needs to be properly configured to detect malicious access on a session cookie. Requesting additional MFA validation is also recommended.