IT NEWS

T-Mobile has announced that an attacker has accessed “limited types of information” on customers. It says it is informing impacted customers.

According to the press release, no passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.

Method

T-Mobile says the attacked gained access to the data through a single Application Programming Interface (API), without authorization. According to T-Mobile, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.

An API in general is a software interface, usually intended to allow one automated system to retrieve data from another. For example, to allow a website to fetch relevant information from a database. When a threat actor finds a way to bypass authentication or obtain a higher level of permissions than they should have, it could enable them to fetch information about other customers.

Affected customers

The preliminary result of T-Mobile’s investigation combined with help from external cybersecurity experts indicates that the attacker accessed data of approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.

Window of access

The mobile carrier says it detected the malicious activity on January 5, 2023. The press release says the issue was resolved within 24 hours after it was identified. What the press release doesn’t say, but what we can read in the Form 8-K—used when informing the Securities and Exchange Commission (SEC) about a breach—is that the attacker first retrieved data through the impacted API starting on or around November 25, 2022.

Timing

The timing of the data breach is far from ideal. It was last week that customers faced a deadline to file a claim over $ 350 million related to a 2021 cyberattack which impacted around 80 million US residents. The carrier agreed to the massive payout to resolve allegations that negligence led to the 2021 data breach that exposed millions of people’s personal information. The stolen data at the time included names, driver licenses, addresses, and social security numbers.

As part of that settlement, T-Mobile committed to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023. T-Mobile references this in its Form 8-K about the current incident:

“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity. We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

According to blockchain data platform Chainalysis, ransomware revenue “plummeted” from $765.6 in 2021 to at least $456.8 in 2022. The data is based on an analysis of the cryptocurrency addresses known to be controlled by ransomware attackers.

Precision

While the real numbers are likely much higher, it does present us with an idea of the development of ransomware payments. Last year’s estimate at this point seemed to show a decline from $765 million to $602 million, but turned out to be a small gain after correction.

Image courtesy of Chainalysis

Payments, not attacks

This decline could be explained in a number of ways:

• Fewer attacks
• Lower ransom demands or demand being negotiated down
• Fewer victims willing to pay

According to our own research and Chainalysis, the declining numbers are mainly due to victim organizations increasingly refusing to pay ransomware attackers.

Number of attacks

Ransomware attacks make headlines, but that doesn’t mean we learn about all of them. In fact, the chances of learning about an attack are bigger when the victim decides not to pay, since that will get them posted on a leak-site controlled by the ransomware group. Many ransomware operators use these sites to post data they exfiltrated during the attack as extra leverage to get victims to pay the ransom. Monitoring these sites always gives us a good idea of which ransomware groups are most active and how many victims actually refuse to pay.

According to IT service provider AAG, there were 236.1 million ransomware attacks worldwide in just the first half of 2022. Through 2021, there were 623.3 million ransomware attacks globally. That seems to indicate the number of attacks could be slightly down.

Negotiators

One thing victims have learned is that ransomware sums can be negotiated down. In fact, a new form of ransomware response has emerged in the past year—the ransomware negotiator. On our Lock & Code podcast, Calling in the ransomware negotiator, with Kurtis Minder: Lock and Code S03E20, Kurtis Minder talk about how he has helped clients with ransomware negotiation and his company has worked to formalize ransomware negotiation training.

Not willing to pay

There are many reasons, besides the obvious one, that companies are unwilling to meet the ransom demands:

• Paying keeps the ransomware eco-system alive
• There is no guarantee you will get your systems back
• It is no immediate cure, it sometimes takes just as long as restoring your systems from backups
• Organizations have learned the importance of backups
• In some cases it is prohibited due to embargoes and sanctions against certain countries

Sometimes organizations feel they have no other choice, which is understandable, but it gives us hope to see that the numbers are declining.

Continental

In our ransomware review of October 2022 we highlighted the case of automotive parts giant Continental. According to a transcript of the negotiations, obtained from LockBit’s dark web site, ransom negotiations began on September 23 and progressed slowly for a month. In the transcript, Continental sought proof that the ransomware group had the 40 terabytes of internal company data it claimed to have stolen, and then asked for assurances that the group would delete the data if the ransom was paid.

The final message attributed to Continental, dated October 24, reads “Hello, we have to hold a management meeting and will come back to you tomorrow end of business day.” It seems that the meeting did not go the way that LockBit hoped, and after several fruitless days trying to restart the negotiation, the ransomware group has made the Continental data available on its dark web site—for sale or destruction—for $50 million. It is unknown whether anyone shelled out that amount to obtain the stolen data.

Chainalysis queried several ransomware experts and is convinced that the drop in revenue is due to more victims refusing to pay. For those interested, the report provides a lot more details.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The US Department of Justice (DOJ) has released information about the arrest of Anatoly Legkodymov, the founder and majority owner of a cryptocurrency exchange called Bitzlato, on money laundering charges. Legkodymov, a Russian national who lives in China, is accused of processing over $700 million of illicit funds.

The US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) also issued an order that identifies Bitzlato as a “primary money laundering concern” in connection with Russian illicit finance.

The exchange is thought to have fueled crypto-related crimes like ransomware by helping cybercriminals launder illegally obtained money.

As stated by Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division:

As alleged, the defendant helped operate a cryptocurrency exchange that failed to implement required anti-money laundering safeguards and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking.

Bitzlato’s largest counterparty in cryptocurrency transactions was Hydra, a Russian language dark web marketplace for narcotics, stolen financial information, fraudulent identification documents, and money laundering services.

What made Bitzlato popular among criminals was the fact that it marketed itself as requiring minimal identification from its users. Where other exchanges require users to submit selfies and official IDs, Bitzlato said this was not required, and allowed  “straw man” registrants. According to the DOJ these deficient know-your-customer (KYC) procedures, allegedly made Bitzlato a haven for criminal proceeds and funds intended for use in criminal activity.

Bitcoin—the most popular cryptocoin used in cybercrime—is pseudonymous, meaning that transactions between entities are public and easy to trace, but the identity of the entities is hidden behind numeric addresses. If law enforcement can identify the owner of a bitcoin address they can see the transactions that person has made. As a result, some countries insist that exchanges take identifying information from customers when they open an account so that their transactions can be attributed to a real identity easily.

The lax procedures at Bitzlato would have given its users piece of mind that any illicit transactions can’t be traced back to them, since they were able to use stolen identities to register their accounts.

To reassure its users, Bitzlato issued a statement saying it suffered a minor hack:

Our service was hacked, part of the funds was withdrawn from the service. 

We ask you DO NOT REPLENISH our service during the proceedings! 

Withdrawals will also be suspended indefinitely.

Sincerely,
The Bitzlato Team.

It later added:

We want to inform you that the funds are completely safe. 

The attackers were able to withdraw a small part of the funds, but for all victims, we guarantee a refund! 

As a security measure, we have disabled the service, we ask you not to replenish the wallets of our service until the work is restored.

The Bitzlato website was replaced by a notice saying that the service had been seized by French authorities as part of a coordinated international law enforcement action.

Whie Bitzlato is far from a leading name in cryptocurrency exchanges, according to Chainanalysis, Bitzlato is one of the major cryptocurrency businesses with a presence in Moscow City that have facilitated the most money laundering.

FinCEN  said:

Bitzlato plays a critical role in laundering Convertible Virtual Currency (CVC) by facilitating illicit transactions for ransomware actors operating in Russia, including Conti, a Ransomware-as-a-Service group that has links to the Government of Russia.

While the crypto-exchange claimed not to allow users from the United States to register accounts, prosecutors said Bitzlato knowingly serviced US customers and conducted transactions with US-based exchanges using US online infrastructure. For at least some period of time, it was being managed by the defendant while he was in the United States.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Card fraud, a staple diet of scammers online, is currently featuring heavily on the US Department of Justice portal. The reason? A story which has rumbled on for a few years finally seems to be pulling into its final destination, as a man admits his role in a slice of fraud which impacted thousands of people across the US.

A timeline of credit card fraud

Back in 2019, three people alleged to be part of a “nationwide stolen credit card ring” were arrested in January of that same year. The gang was said to have racked up $3 million in unauthorised purchases, being charged with conspiracy to commit bank fraud and aggravated identity theft.

The location the arrest took place in was filled with credit cards. Said cards were alleged to have been bought online via the dark web and elsewhere. A network of women was put together via social media, with those individuals collecting bought goods from different cities and receiving a cut of the profits once those items were sold on. Some individuals involved had been flagged in the past for various crimes, many of which involved credit cards with one related to “700 stolen accounts”.

The case went silent in the news until 2020, when Hamilton Eromosele, 29, pleaded guilty to one count of conspiracy to commit bank fraud. He was sentenced to 110 months in prison.

We now have some new crime related numbers to report, and it doesn’t look great for at least one of the other individuals involved.

Big fraud, big losses

Trevor Osagie, 31, has now pleaded guilty with regard to charges of conspiracy, which ended up with the conspirators making more than $1.5 million in fraud-laden purchases via a tally of over 4,000 stolen credit card accounts.

Over a period of at least four years from 2015 up until November 2018, the crime network purchased everything from gift cards and hotel stays to rental cards and other goods and services. Despite being based primarily in the New York / New Jersey area, the crimes committed took place all over the US.

We have the why, but not the how

The Indictment adds some additional context to the overall picture, though there is currently no deep dive into the group’s many activities. In fact, there’s only one example listed of how the group made use of aliases to email the card numbers to one another. 

There’s also no word (yet) as to how people were recruited on social media to visit the different cities. Were these roles offered in public under the guise of being something legitimate? Did these opportunities come by private direct messaging? At this point, we simply don’t know.

In total, nine people are listed as having some level of involvement with the wide ranging fraud operation. Two financial organisations in particular incurred significant losses.

From doing crime to doing time

As Bleeping Computer notes, Osagie is now facing up to 30 years in prison. There’s also a potential maximum fine of up to $1 million, which definitely has the potential to put the brakes on some criminal activity.

We’ll hear the sentence decision in a few month’s time, and then perhaps the full story of how this one played out, along with how the group was caught in the first place, will finally be revealed.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A threat actor successfully used compromised employee credentials to gain access to 133 accounts on Mailchimp, the mainstream Intuit-owned email marketing platform, in a security incident that recently came to light.

“On January 11, the Mailchimp Security team identified an unauthorized actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration,” said Mailchimp in a blog post. “The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.”

The blog further asserts the company’s compromise had not affected other Intuit systems or other Mailchimp customer data.

It is noted that very little detail is shared about the attack, such as the specific social engineering tactic used against Intuit’s employees, who might be responsible for the attack, or how long the intruder was in the company’s systems.

According to TechCrunch, who first reported the incident, Mailchimp detected the intruder while accessing one of the tools used by its customer support and account administration. Upon discovery of the targeted attack, it suspended the affected accounts temporarily and reached out to their owners regarding the breach.

“That afternoon, we sent another email to affected accounts with steps to help users reinstate access to their Mailchimp accounts safely. Since then, we’ve been working with our users directly to help them reinstate their accounts, answer questions, and provide any additional support they need.”

One of the 133 accounts affected belonged to WooCommerce, an immensely popular e-commerce plugin for WordPress with more than five million customers. TechCrunch said customer names, web store addresses, and customer email addresses might have been exposed in the compromise.

This latest incident with Mailchimp definitely calls back to the April 2022 breach when threat actors were able to breach 319 of its client accounts, mostly belonging to companies in the cryptocurrency and finance industries. Cryptocurrency wallet company Trezor had taken to Twitter to let followers know some of its services were also affected by the Mailchimp compromise.

Trezor said then, “Mailchimp have confirmed that their service has been compromised by an insider targeting crypto companies. We have managed to take the phishing domain offline.”

Since this attack, Mailchimp said it had implemented “an additional set of enhanced security measures”, but TechCrunch noted the company wasn’t specific about these measures.

“We know that incidents like this can cause uncertainty, and we’re deeply sorry for any frustration,” Mailchimp said. “We are continuing our investigation and will be providing impacted account holders with timely and accurate information throughout the process.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

There’s a big push in rogue advert land at the moment, with multiple forms of bogus websites being used as bait to rob people of their logins and funds.

This story first came to light a few days ago, with news of a well known cryptocurrency fan “NFT God” being caught out by a bogus video recording tool.

NFT God lost pretty much all of his digitally accrued wealth after the malicious executable grabbed his logins and switched out his digital wallet details. He arrived at this fake video editing tool thanks to a rogue sponsored ad sitting at the top of his Google search results.

Once the file was installed, it set about sending all pertinent login details back to base and the damage was done. The fallout continued as various logins were compromised and phishing attempts were sent to his 16,000 or so Substack followers.

Rogue ads: following a trend

Following up on this prominent tale of hijacking in cryptocurrency circles, Bleeping Computer did some investigation of its own and found a lot more bad ads vying for attention in Google. It’s not just imitation OBS files you have to watch out for. USB booting tools, PC maintenance tools, multiple unnamed programs, and a malicious Notepad++ found by security researcher Will Dormann are just a few of the highlights on display. In fact, several other researchers found their own bad ad equivalents too with one able to put together a list of no fewer than 70 rogue advert domains.

The sites being used for these scams are typically typo squatting. This is where URLs which are similar, but not identical, to the real thing are used as the launchpad for the malicious downloads. These sites tend to rip pieces off the real site, if not the entire domain, to look as convincing as possible. A related tactic is to make a lot of the clickable URLs on the fake portal point to the real thing, with the sole exception being the bogus download. Whatever it takes to appear as convincing as possible.

When the fake sites are out, but not down

Google told Bleeping Computer that the sites in question have since been removed from its ad program. This doesn’t necessarily mean that the sites have been taken offline, and they may well still be out there waiting to strike somewhere else. They could easily be sitting in regular results in another search engine, or be placed into a non-Google related search engine ad program.

This also doesn’t mean all rogue sites have been removed from the search results listings, and caution should always be exercised where ads are concerned.

How do you avoid bad ads?

It wasn’t so long ago that the FBI warned of rogue adverts popping up in search engine results. That warning also included a reference to blocking ads, which some folks may not have expected to see in an FBI release.

The advice for steering clear of rogue adverts likely includes some best practices you’re already aware of and make use of. In an ideal world we wouldn’t have to worry about such things, but despite whatever quality control and ad inventory checking is in place at major search engines this keeps happening anyway. With this in mind:

• You probably have the URL you need. It’s somewhat unusual for many people to have zero idea of the genuine URL for a major brand, service, product, and so on. Your first interaction with said entity will almost certainly have their genuine URL printed on a banner, box, instruction manual, or anything else you care to mention. Navigate directly to the site in this instance, because you don’t need to go digging around in search engines.
• Careful searching. If you do need to go looking, cross reference the URLs you see in search engines with a search of your own. If it’s legitimate, you should see a large number of people and businesses referencing it.
• Report bad ads. If a sponsored ad is up to no good, there should be a way to report from the search engine in which you found it. You’re doing your part to help the next person who comes along stay safe!
• The thorny blocking issue. If you choose to block ads, be aware that the way you block may break functionality of the site you’re on. Some sites will insist you turn off your ad blocker. Others may simply not work anymore if you use script blocking or turn off JavaScript. It’s not so much a case of “job done”, as it is “job just getting started”.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Several experts have warned LastPass users who store cryptocurrency-related login information in their vaults to change that login information as soon as they can.

Apparently, cybercriminals who have access to the stolen information are making it a priority to decrypt the data in an attempt to access to cryptowallets and online accounts.

The breach

According to LastPass, an unknown attacker accessed a cloud-based storage environment using information obtained in LastPass’ August 2022 breach. Some of the stolen source code and technical information were used to target another LastPass employee, allowing the attacker to obtain credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

Unencrypted data

As we mentioned in an earlier post about the LastPass breach, part of the stolen data was not encrypted. The unencrypted data included URLs, which could act as a pointer for the attacker to figure out which accounts deserve their attention. For example, if someone has stored their login credentials to Blockchain.com or any other crypto services platform in LastPass, the threat actor will be able to see the URL to that platform and then can choose to prioritize the attempts to decrypt that information.

Decrypt

At this point it is unclear whether the attacker tries to decrypt the master password of these interesting accounts, or the crypto-related login credentials, but it is likely they will try both. And because they have stolen copies of the vaults, they have an unlimited amount of time to keep trying.

Secret keys

If your secret keys were in the stolen data, simply changing your passwords will not be enough. With a secret key you can prove ownership of a blockchain address, which means you can change all the other information associated with that address. The password, the recovery email, etc—everything a threat actor needs to drain the account.

This is why the tweet by Responders.nu (a Dutch Incident Response cybersecurity firm) says that you will have to move your funds to a different account.

Changing your LastPass master password and enabling 2FA is good, but it does not help in a case where attackers have a copy of your vault, because they can access the copy at all times. Once they crack your master password, they will be able to see everything you stored in that vault in plaintext, and they’ll have plenty of time to use brute force attacks to decrypt the encrypted data.

We realize that opening new accounts and transferring funds to them is time-consuming and costly, but it is certainly better than waking up to a drained account.

Class action

A “John Doe” class-action lawsuit has been filed against LastPass following the August 2022 data breach. The class action was filed with the United States district court of Massachusetts on January 3 by an unnamed plaintiff (John Doe) and on behalf of others similarly situated. Allegedly the data breach of LastPass has resulted in the theft of around $53,000 worth of Bitcoin.

We have reached out to LastPass, but it has not returned our request for comment. We will keep you posted about any developments here.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In a sponsored security source code audit, security experts from X41 D-SEC GmbH (Eric Sesterhenn and Markus Vervier) and GitLab (Joern Schneeweisz) found two notable critical flaws in Git’s code. A vulnerability on Git could generally compromise source code repositories and developer systems, but “wormable” ones could result in large-scale breaches, according to the high-level audit report. Microsoft defines a flaw as “wormable” if it doesn’t rely on human interaction, instead it allows malware to spread from one vulnerable system to another.

The two critical flaws, tracked as CVE-2022-23521 and CVE-2022-41903, could allow threat actors to potentially run malware after taking advantage of overflow weaknesses in a system’s memory.

A total of eight vulnerabilities were found in Git’s code. On top of the critical ones we mentioned, the experts also found one rated medium, one high, and four rated low severity. 27 other issues found don’t have a direct security impact.

A copy of the full audit report from X41 and GitLab can be found here.

Recommendation and workaround

The easiest way to protect against exploits of these critical vulnerabilities is to upgrade to the latest Git release, which is version 2.39.1, as well as update your GitLab instance to one of these versions: 15.7.5, 15.6.6, and 15.5.9. 

• How to update GitLab
• How to update GitLab Runner

Version 2.39.1 of Git for Windows also addresses the flaw tracked as CVE-2022-41953.

The researchers recommend those using Git continue to use safe wrappers and develop strategies to mitigate common memory safety issues. They also discouraged storing length values to signed integer typed variables.

“Introducing generic hardenings such as sanity checks on data input length, and the use of safe wrappers can improve the security of the software in the short term. The usage of signed integer typed variables to store length values should be banned. Additionally, the software could benefit from compiler level checks regarding the use of integer and long variable types for length and size values. Enabling the related compiler warnings during the build process can help identify the issues early in the development process.”

Per BleepingComputer, users who cannot upgrade to address CVE-2022-41903 may want to apply this workaround instead:

• Disable ‘git archive’ in untrusted repositories or avoid running the command on untrusted repos
• If ‘git archive’ is exposed via ‘git daemon,’ disable it when working with untrusted repositories by running the ‘git config –global daemon.uploadArch false’ command

CVE-2022-23521: Truncated Allocation Leading to Out-of-bounds (OOB) Write

An OOB Write occurs when software writes data at the beginning or end of a buffer, resulting to data corruption, a system crash, or code execution. OOB Write is a flaw classed as a heap-based buffer overflow.

This flaw triggers when Git parses a crafted .gitattributes file that may be part of a commit history, causing multiple integer overflows (also known as wraparounds). This means the program is trying to store a huge value or number more than an integer type can store.

If this happens, OOB reads and writes can occur, which could then lead to remote code execution.

CVE-2022-41903: OOB Write in Log Formatting

This flaw is found in Git’s commit-formatting mechanism, which displays arbitrary information on commits. When Git processes a padding operator, an integer overflow can occur. OOB reads and writes can occur out of the overflow, leading to remote code execution if exploited.

A detailed, technical dive into these vulnerabilities are in the full audit report.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Users of multiple Zoho ManageEngine products are under urgent advice to install the patch issued October 27, 2022. The advice is urgent because on January 13, 2023 the Horizon3 Attack Team tweeted that Proof of Concept (PoC) code and a deep-dive blog will be released within a week.

Mitigation

A long list of vulnerable ManageEngine products and their fixed version can be found in the ManageEngine advisory. Clicking on the URLs under Fixed Version(s) behind the affected product takes you to the update instructions for that product.

The vulnerability

The vulnerability, listed under CVE-2022-47966, is described as an unauthenticated remote code execution vulnerability. The vulnerability is caused by the use of an outdated third-party dependency, Apache Santuario. Apache Santuario is used for XML syntax and processing. The vulnerability allows a successful attacker remote code execution with SYSTEM level access, meaning the entire system could be compromised.

Zoho used Security Assertion Markup Language (SAML) to simplify the authentication process. SAML is an open standard used for authentication and based upon the Extensible Markup Language (XML) format.

According to Horizon3:

The vulnerability is easy to exploit and a good candidate for attackers to “spray and pray” across the internet.

Exploit

An attacker would need to send a specially crafted SAML request to trigger the exploit.

Please note that depending on the specific ManageEngine product, this vulnerability is exploitable if SAML single-sign-on is enabled or has ever been enabled. So, even if you do not currently have SAML enabled, you are under advice to install the patch with priority.

A Shodan scan performed by the researchers showed 5255 exposed instances of ServiceDesk Plus of which 509 have SAML enabled, and 3105 exposed instances of Endpoint Central, of which 345 have SAML enabled. At the moment we have no knowledge of active attacks against this vulnerability, but that might change rapidly once the PoC code is available.

In September, 2022, an RCE vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier) were found to be being actively exploited after several PoCs and a Metasploit module for it were made public.

IOCs

IOCs for ServiceDesk Plus, Endpoint Central, and Other ManageEngine Products can be found in the blogpost by Horizon3 about this vulnerability.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Software development service company CircleCI has published its incident report on a breach that happened in December.

CircleCI revealed an engineer’s laptop was successfully infected with a yet-to-be-named information-stealing Trojan, which was used to steal an engineer’s session cookie. The company didn’t provide information on how the malware got onto the laptop.

From the report:

“This machine was compromised on December 16, 2022. The malware was not detected by our antivirus software. Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.”

In this case, the session cookie was an authentication token, described in the report as a “2FA-backed SSO session” cookie. This is a kind of authentication cookie that is stored by a web browser after you successfully log in to a website. When the browser interacts with restricted content, it uses the cookie to prove that you have logged in, so you don’t need to reenter your password over and over again.

Stealing a user’s authentication cookie gives an attacker exactly the same access as they’d get if they stole the user’s password and logged in. In this case, the account wasn’t just protected by a password, it was also protected by some form of two-factor authentication (2FA). By stealing an authentication cookie, the attacker was able to perform an end run around the 2FA (and any other forms of authentication) protecting the acount.

Thankfully, stealing authentication cookies isn’t easy, and in this case the attacker was only able to do it by installing malware on on an engineer’s laptop, from where they could probably have stolen the victim’s passwords and 2FA tokens eventually anyway.

A customer alerted the company to “suspicious GitHub OAuth activity” on December 29, 2022, leading to the conclusion that this customer’s OAuth token had been compromised. As a result, CircleCI says it proactively began rotating all customer-associated tokens on their behalf. These include Project API, Personal API, and GitHub OAuth tokens.

CircleCI made an official announcement of its security breach on January 4 of this year, urging all its clients to rotate “any and all” their secrets—passwords or private keys—stored in CircleCI and review logs for unauthorized access occurring between December 21, 2022, and January 4, 2023.

Because the victim employee is an engineer who routinely generates access tokens, the attacker “access[ed] and exfiltrate[d] data from a subset of databases and stores, including customer environment variables, tokens, and keys. The company also has reason to believe that reconnaissance activity took place first on December 19 before an exfiltration activity was spotted on December 22, just days after.

“Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” the report further says.

Since then, CircleCI says it has been improving its infrastructure by adding behavior detection to its antivirus and mobile device management (MDM) system. It’s also restricted access to its production environments and increased the security of its 2FA implementation.

This recent cybersecurity incident with CircleCI isn’t a first. In 2019, the company was breached following a supply chain attack against its analytics vendor. Its account with the vendor was compromised, giving attackers access to some user data, which includes usernames and email addresses associated with GitHub and Bitbucket.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.