Infected Engineer 2FA-Backed SSOs Let Hackers Access CircleCi’s Systems

CircleCi, a popular CI/CD (Continuous Integration and Continuous Development) platform used for DevOps practises, said that it had been hacked.

In December of last year, a CircleCi engineer was infected with malware that stole information. Hackers used this information to break into their 2FA-backed SSO session cookie, which gave them access to CircleCi’s internal systems.

In a report that the CI/CD platform, CircleCi, put out, they said that they found out about the security hole when a customer told them that their GitHub OAuth code had been hacked. Because of this, the company now automatically changes its customers’ GitHub Auth codes.

The malware that stole information also took the corporate session cookie, which had already been verified by the two-factor authentication (2FA). This let the attackers log in as users without having to verify it.

Also, the malware could steal session cookies, which allowed hackers to pretend to be the employee they were after from a remote location and then get more access to the production systems on the sub-net.

So, the attackers started taking keys, tokens, and customer environment variables from the company’s database and stores with the engineer’s permission.

Even though CircleCi had encrypted the data, the attackers also stole the encrypted keys by throwing them into the running process. This may have let them decrypt the stolen encrypted data.

As soon as the company found out about the security breach, they sent an email to all of their customers telling them to spin all of their tokens and secrets if they logged in after December 21.

The company says that all of their customers’ tokens, such as GitHub OAuth, Personal API tokens, and Project API tokens, have already been spun. CircleCi also worked with AWS and Atlassian to let customers know that their Bitbucket and AWS tokens may have been hacked.

So that this kind of thing doesn’t happen again, the company beefed up its infrastructure by adding more detection for how the information-stealing malware behaves to their antivirus software and Mobile Device Management.

Also, the company has now limited the number of people who can access its production environment and made the 2FA implementation even more secure.

Now, all of these attacks on companies are just examples of how hackers are focusing more on the Multi-factor authentication that companies have set up, whether through Phishing attacks or malware that steals information.

Companies use MFAs to stop people from getting into their systems without permission. But as more companies use MFAs, attackers have also changed. They now use techniques like stealing session cookies that have already been verified by the MFA.

It is very important for companies to set up these platforms correctly so that they can see when the session cookie is being used from a remote location and then request more MFA access.