Spain
Portugal
CircleCI forcibly changes GitHub OAuth tokens for its customers after a cyber incident.
Earlier this month, CircleCI reported a security incident, warning customers about the need for token rotation.
In a new incident report, the company reports that one of its employees was the victim of a targeted attack using a stiller, thanks to which a 2FA-enabled engineer session was compromised.
Hackers broke into CircleCI in December after an engineer became infected with malware that intercepted a single sign-on session cookie with 2FA, which allowed them to eventually gain access to the company's internal systems.
CircleCI specialists first learned about unauthorized access to the systems after contacting one of the clients, who announced the compromise of his GitHub OAuth token.
As of January 4, as a result of the investigation, it was found that on December 16, the engineer was infected with malware to steal information that the company's antivirus software could not detect and neutralize in time.
After that, the stolen corporate session cookie with the passed 2FA allowed the attacker to log in as a target employee at a remote location, and then expand access to production systems.
According to CircleCI, using the privileges of an engineer, on December 22, the hacker began to exfiltrate data from some of the company's databases and repositories, including environment variables, tokens and client keys.
He also managed to get the encryption keys from the running processes, which allowed the attacker to decrypt the CircleCI encrypted data.
Having studied all the circumstances of the incident, the company began urgently notifying customers, warning about the change of all tokens and secrets, starting from December 21, 2022 to January 4, 2023.
To date, CircleCI has changed all tokens associated with clients, including Project API, Personal API and GitHub OAuth.
The company was also in contact with Atlassian and AWS to notify customers about possibly compromised Bitbucket and AWS tokens.
CircleCI has deployed additional malware detection tools to steal information in the antivirus solutions and MDM mobile device management systems used.
In addition, the company has also restricted access to production environments, narrowing the number of admitted employees and increasing the security of 2FA implementation.
The CircleCI incident is another example of how attackers are increasingly implementing successful MFA circumvention tactics: Microsoft, Cisco, Uber, and now CircleCI.
