Two-factor authentication (2FA) is there to provide a high level of security, but what happens when this process is compromised?
CircleCI is a platform used by software developers to build, test and implement code. Therefore, due to the amount of confidential and potentially valuable data CircleCI holds, it’s a highly attractive target for threat actors. Thankfully, for those using CircleCI, strong security practices are in place to provide a secure environment, and one of the most important is 2FA. Nonetheless, threat actors are persistent and innovative individuals, and the presence of 2FA merely represents a challenge. And it was this obstacle hackers managed to overcome in December 2022 when they breached CircleCI.
As 2FA is such a critical element of excellent cybersecurity practices, it’s important that we understand what went wrong at CircleCI.
How 2FA Failed at CircleCI
The first sign of CircleCI becoming compromised came in early January 2023 when a user discovered that their OAuth token – used to identify customers to online platforms – had been accessed by an unauthorized party. CircleCI were unable to pinpoint how the security token had been compromised, but immediately began to randomly rotate the OAuth tokens in use by their users.
Further investigation, however, revealed how access to the OAuth tokens had been breached. A developer at CircleCI had fallen victim to a malware attack, one which focused on stealing data. Among the stolen data was a session cookie which had already been validated through the 2FA process and, therefore, ensured that anyone in possession of it could gain quick and easy access to the CircleCI network. And this is exactly what the threat actors did, stealing encryption keys, OAuth tokens and customer data.
Can You Combat a Compromised Cookie?
2FA has long been championed as one of the cornerstones of IT security, but this attack on CircleCI has brought the spotlight on to one of its glaring weaknesses. The success of the attack also highlights the popularity of this technique, which has recently been deployed against several major IT organizations. Accordingly, to protect your IT infrastructure, it’s crucial that your organization practices the following:
- Be careful with emails: most malware is delivered by email, so it makes sense to treat all your emails carefully. If anything looks suspicious, then always ask an IT professional to run their eyes over it. And always verify a link embedded in an email before clicking it, you can do this by hovering your mouse cursor over the link to display the true destination.
- Monitor cookies: abandoning 2FA is far from recommended, but you do need to look at how you monitor cookies. Identifying when validation processes are being carried out by cookies in new locations is vital, and once this has been identified, a new 2FA validation should be generated.
- Strengthen with Google Authenticator: you can back up the security of your 2FA process by also implementing an authentication code generated by Google Authenticator. This piece of software uses an algorithm to generate a unique code on your phone which must then be entered into a prompt for the software app you are trying to access.
For more ways to secure and optimize your business technology, contact your local IT professionals.
