GitHub Accounts Hacked Using Fake CircleCI Notifications
Reading Time: 2 minutes

GitHub in an advisory mentioned, GitHub accounts being hacked by bad actors impersonating the  CircleCI DevOps platform by an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes.

The Microsoft owned code hosting service discovered the attack on September 16, 2022, where the campaign impacted “many victim organizations. Users were notified suggesting their CircleCI sessions have expired and they should log in using GitHub credentials by clicking on a link.

According to CircleCI users were also prompted via bogus email to sign in to their GitHub accounts to accept the company’s new Terms of Use and Privacy Policy by following the link embedded in the message.GitHub Accounts Hacked Using Fake CircleCI Notifications_1Regardless of the lure, doing so redirects the target to a lookalike GitHub login page designed to steal and exfiltrate your credentials as well as your time-based one time password (TOTP) codes in real-time.

Accounts protected by hardware security keys are not vulnerable to this attack, according to Alexis Wales of GitHub.

An attacker might create a GitHub personal access token, authorize OAuth applications, or add SSH keys when they’re able to gain unauthorized access to your account.The attacker has also been downloading private content from a repository, and even creating new accounts in the organization if this is an account with management permissions over it.

GitHub has taken steps to fix the security of accounts. This includes notifying those affected and removing any maliciously-added credentials.

In order to prevent data breaches, organizations should consider using hardware security keys.

GitHub suffered a recent phishing attack. They were able to do this through abusing third party OAuth user tokens which were maintained by Heroku and Travis CI.

Related Articles:
NSA and CISA Advice for Critical Infrastructure Operators to protect their Systems
Python Tarfile Flaw Sneaks In Over 350,000 Open Source Projects
How Uber security was breached This Month by Lapsus$ Gang?