CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA

Software development service company CircleCI has published its incident report on a breach that happened in December.

CircleCI revealed an engineer’s laptop was successfully infected with a yet-to-be-named information-stealing Trojan, which was used to steal an engineer’s session cookie. The company didn’t provide information on how the malware got onto the laptop.

From the report:

“This machine was compromised on December 16, 2022. The malware was not detected by our antivirus software. Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.”

In this case, the session cookie was an authentication token, described in the report as a “2FA-backed SSO session” cookie. This is a kind of authentication cookie that is stored by a web browser after you successfully log in to a website. When the browser interacts with restricted content, it uses the cookie to prove that you have logged in, so you don’t need to reenter your password over and over again.

Stealing a user’s authentication cookie gives an attacker exactly the same access as they’d get if they stole the user’s password and logged in. In this case, the account wasn’t just protected by a password, it was also protected by some form of two-factor authentication (2FA). By stealing an authentication cookie, the attacker was able to perform an end run around the 2FA (and any other forms of authentication) protecting the acount.

Thankfully, stealing authentication cookies isn’t easy, and in this case the attacker was only able to do it by installing malware on on an engineer’s laptop, from where they could probably have stolen the victim’s passwords and 2FA tokens eventually anyway.

A customer alerted the company to “suspicious GitHub OAuth activity” on December 29, 2022, leading to the conclusion that this customer’s OAuth token had been compromised. As a result, CircleCI says it proactively began rotating all customer-associated tokens on their behalf. These include Project API, Personal API, and GitHub OAuth tokens.

CircleCI made an official announcement of its security breach on January 4 of this year, urging all its clients to rotate “any and all” their secrets—passwords or private keys—stored in CircleCI and review logs for unauthorized access occurring between December 21, 2022, and January 4, 2023.

Because the victim employee is an engineer who routinely generates access tokens, the attacker “access[ed] and exfiltrate[d] data from a subset of databases and stores, including customer environment variables, tokens, and keys. The company also has reason to believe that reconnaissance activity took place first on December 19 before an exfiltration activity was spotted on December 22, just days after.

“Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” the report further says.

Since then, CircleCI says it has been improving its infrastructure by adding behavior detection to its antivirus and mobile device management (MDM) system. It’s also restricted access to its production environments and increased the security of its 2FA implementation.

This recent cybersecurity incident with CircleCI isn’t a first. In 2019, the company was breached following a supply chain attack against its analytics vendor. Its account with the vendor was compromised, giving attackers access to some user data, which includes usernames and email addresses associated with GitHub and Bitbucket.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.