Blog

Analysis: CircleCI attackers stole session cookie to bypass MFA

Feb 08, 2023

By John E. Dunn

The industry is taking a fresh look at the security around multi-factor authentication (MFA) in the face of recent bypass attacks. Multi-Factor Authentication

Multi-factor authentication (MFA) is coming under sustained pressure from attackers, with a striking example being a breach that unfolded at DevOps platform CircleCi back in December. 

According to a recent incident update , the attack was traced back to a single malware infection on an engineer’s laptop on December 16, which wasn’t detected by AV. This, it transpired, was a good target for compromise – the engineer had the privileges to generate production access tokens.  

Attackers first hijacked a corporate SSO session which had passed 2FA, allowing them less than a week later to elevate their access sufficiently to steal data from a subset of databases and stores, including “customer environment variables, tokens, and keys.” 

In short, grabbing the authenticated session cookie allowed the attackers to bypass the 2FA layer, impersonating the engineer to exfiltrate customer data. 

“Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” the update noted. 

On December 29, a CircleCI customer altered the company to suspicious GitHub OAuth activity, prompting it to change all tokens. On January 4, it issued a wider warning advising customer to do the same for all secrets stored on the platform.  

How did CircleCi respond? 

In addition to adding a heuristic to its AV system to detect the behaviors used in this attack, CircleCi implemented a range of changes DevOps admins everywhere can learn from: 

  • It limited the number of engineers who can access the production environment  
  • Added extra 2FA controls for remaining engineer access 
  • Implemented monitoring for the types of behavior that might indicate a compromise “via a variety of third-party vendors.”  

Pass-the-cookie 

That still leaves the issue of how a malware compromise of a single device could lead to attackers bypassing 2FA controls on an otherwise well-secured platform. 

The answer is that while 2FA and MFA is a powerful control, it is not without its vulnerabilities. These can, for example, be down to policies that govern the fine detail of when and how MFA is required. In practice, this might include MFA being asked for in some contexts but not others, or only for the first access.  

This approach is sensible and necessary – too much MFA can quickly bog teams down with additional authentication requests. But limiting MFA also comes with higher risk. 

The specific weakness in this attack was the SSO authentication token. This, usefully for attackers, is created after MFA has happened. All the attacker needs to do is compromise the local environment to grab the session cookie at the right moment. 

A demo of this approach are pass-the-cookie attacks, which CISA warned about in 2021 in relation to wider cloud services not unlike CircleCI’s. Stolen cookies are even reportedly being traded on the dark web. Pass the cookie is not the only way attackers are trying to beat MFA, but it might be the one defenders should no longer discount. In any case, this is a learning opportunity and a good excuse for any organization using MFA to examine its deployment and assess potential weak points.