In December, CircleCi experienced a security incident when hackers breached their systems. The breach occurred after an engineer at the company became infected with information-stealing malware. This malware allowed the hackers to access the company’s internal systems through the engineer’s 2FA-backed SSO session cookie.
CircleCi first became aware of the unauthorized access to their systems when a customer reported that their GitHub OAuth token had been compromised. In response to the incident, the company disclosed the security incident. It warned customers to rotate their tokens and secrets to protect their accounts.

CircleCi took action to ensure the security of its customers. CircleCi is implementing a compromise that led to the automatic rotation of GitHub OAuth tokens. On January 4th, an internal investigation revealed that an engineer had been infected with information-stealing malware on December 16th. It was not detected by the company’s antivirus software. This malware was able to steal a corporate session cookie that had already been authenticated through 2FA. This allow the hacker to log in as the user without needing to go through 2FA again.

CircleCi’s Incedent report on malware

According to CircleCi’s incident report, “Our investigation indicates that the malware was able to execute session cookie theft, enabling the hacker to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.”

The hacker used the engineer’s privileges to begin stealing data from some of CircleCi’s databases and stores, including customer environment variables, tokens, and keys, on December 22nd.

The hacker stole encryption keys from CircleCi by dumping them from running processes. This action potentially allowed the threat actor to decrypt the encrypted, stolen data. Upon discovering the data theft, CircleCi immediately began alerting customers via email about the incident. They also caution them to rotate all tokens and secrets if they had logged in. The log-in period was between December 21st, 2022, and January 4th, 2023. To combat the attack, CircleCi spun all tokens associated with their customers, including Project, Personal API & GitHub OAuth tokens. Additionally, the company collaborated with Atlassian and AWS to notify customers of potentially compromised Bitbucket tokens and AWS tokens.

CircleCi’s steps ahead to combat hack of 2FA secure sessions

CircleCi announced that it had taken steps to strengthen its infrastructure. They are adding additional detections for information-stealing malware to its antivirus and mobile device management systems. The company also made the decision to restrict access to its production environments to a smaller group of individuals. Also company is stressing to enhance the security of its two-factor authentication implementation. This is a proactive measure to ensure the safety of its user’s data and prevent any potential breaches.

Threat actors are increasingly targeting multi-factor authentication (MFA) to gain access to corporate systems. This trend is evident in the incident report from CircleCi, which highlights how attackers use various tactics to bypass MFA. These tactics include stealing session cookies that have already been authenticated with MFA and using MFA fatigue attacks. These attacks have been successful in breaching large corporate networks, including those of Microsoft, Cisco, Uber, and CircleCi.
To counter these attacks, it is crucial for enterprises to properly configure their MFA platforms. For detecting a session cookie in a new location and then request further MFA validation. Additionally, Microsoft and Duo recommend that administrators enable newer features such as MFA number matching (also known as Verified Push in Duo) to help protect against logins using stolen credentials. Despite the evolving tactics of threat actors, the use of MFA remains vital in preventing access to corporate systems.