Hackers Breach CircleCi's Systems via Engineer's Infected 2FA-Backed SSO

By Gagandeep Singh 17-Jan-2023

[{"selector":"#anim-b7cdf376-772d-4ad4-a877-fd8940acd5ca","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-63666ac8-6685-4e90-964a-024338997742","keyframes":{"transform":["translate3d(0px, 147.29109%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-8bb4ff65-5adf-4c8f-9b30-6820ba707872","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-d45908e7-3731-4ab1-a66c-9c83db662905","keyframes":{"transform":["translate3d(0px, 160.02072%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-a00ae854-a8a7-4a28-9a95-c6c27c23ad44 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-43.72209811828866%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] CircleCi, a popular Continuous Integration & Continuous Development platform used for DevOps practices revealed that it suffered a security exploit.

[{"selector":"#anim-7231a148-1a92-46ae-930c-3031dcffc45d","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-9e9a28b5-3908-458f-a231-b47230b0f37c","keyframes":{"transform":["translate3d(0px, 135.10567%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-235b3503-665e-46cc-8d55-0ee7eea0eab4","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-9d603a0c-a27d-4ee1-af80-b8c54f7e7975","keyframes":{"transform":["translate3d(0px, 141.86900%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-d9304466-0185-447d-a3f4-10bdee39b1d1 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(12.514648210040342%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] In December, An engineer at CircleCi was infected with information-stealing malware, hackers used to breach their 2FA-backed SSO session cookie which allowed the attackers access to CircleCi’s internal systems.

[{"selector":"#anim-4aa8b675-d25e-4114-a92f-72a3c8911078","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-e50c47c1-a8cb-4881-9f6f-1ef881d40490","keyframes":{"transform":["translate3d(0px, 139.46361%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-4437ca4d-4032-4a31-86b1-c8b5d1b86042","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-9c022020-6ab2-405c-8955-5fc405084a8a","keyframes":{"transform":["translate3d(0px, 150.55982%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-8f32769e-06ac-40e8-b409-7c1e219dbc0e [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-12.514648210040342%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] A report published by CircleCi mentions that they got to know about the security exploit after a customer reported that their GitHub OAuth code had been compromised.

[{"selector":"#anim-94a91126-ddf7-4739-806d-a4ff5c8dced3","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-25d6333c-fa6d-4f52-a43e-26c010391033","keyframes":{"transform":["translate3d(0px, 139.46361%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-bae069ca-6163-4cfc-bd46-e1d5e34c0b28","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-377786e4-ad3c-4734-a07c-b003899cad20","keyframes":{"transform":["translate3d(0px, 150.55982%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-cbf84740-b43e-4aa0-bf55-c091c670b4e2 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] As soon as the company learned about the security breach, they sent an email to customers notifying them to spin all their tokens & secrets if they logged in after 21 December.

[{"selector":"#anim-9398bd27-821b-40ea-a333-c77258fe48d3","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-3e6c912c-9d14-4512-a37d-240de181ca2b","keyframes":{"transform":["translate3d(0px, 139.46361%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-76ab0195-b2f0-494f-968b-51fc099b3279","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-1071fc98-a61f-4786-aac3-7b29d86d5c63","keyframes":{"transform":["translate3d(0px, 150.55982%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-02d7fb2c-78e6-4594-89b4-ba11baf65474 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(12.514648210040342%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] The malware stole the corporate session cookie, which had been already authenticated via the 2FA, which allowed the attackers to login in as users without having to authenticate it.

[{"selector":"#anim-11593bb5-8409-4c96-b648-ee3631847910","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-6d5e2b23-9420-4872-b8e0-4f13c28d4885","keyframes":{"transform":["translate3d(0px, 139.46361%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-0227314f-5847-44d1-b04a-692a78ad1086","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-80fec2aa-2e1f-4349-8149-4f2b6389eb61","keyframes":{"transform":["translate3d(0px, 150.55982%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-f53dcd9d-f507-494b-bea3-9da3749ef805 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-29.213867061370546%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] Malware executed session cookie theft, thereby enabling the hackers to impersonate the employee they were targeting in a remote location and then amplified access to the sub-net of the production systems.

[{"selector":"#anim-22cf4e2b-024f-4577-b347-25474b29bf29","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-f8db1a84-b719-4f75-91ff-df6f1fdf8b23","keyframes":{"transform":["translate3d(0px, 134.26481%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-e3379712-c396-4de0-8e57-a27377d452f3","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-aa15bc05-7e7a-4fec-b245-973663681ab2","keyframes":{"transform":["translate3d(0px, 143.19353%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-59ab6f3c-e8b5-40e1-92d3-015e4416e2d9 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-40.67034028765589%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] Although the company had encrypted the data, attackers stole the encrypted keys by throwing them into the running process, possibly allowing the attackers to de-encrypted the encrypted stolen data.

[{"selector":"#anim-f8d44619-0691-4aae-bc7c-9529552f9f20","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-dfd8c4ea-d332-4f16-a4ec-71074de527db","keyframes":{"transform":["translate3d(0px, 146.52214%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-fddb6bc2-a6b8-42c3-9b5d-7d097073e427","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-12e9405d-d985-45d2-b919-daed49304e30","keyframes":{"transform":["translate3d(0px, 158.15159%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-c8239fd5-e44d-4506-8845-4e07b022806c [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] The company mentions that they have already spun all the tokens belonging to their customers, which include GitHub OAuth, Personal API tokens, and Project API tokens.

Hackers Breach CircleCi's Systems via Engineer's Infected 2FA-Backed SSO

Read the full story here.