Privacy Ninja

Hackers Stealing GitHub Accounts Using Fake CircleCI Notifications

Hackers Stealing GitHub Accounts Using Fake CircleCI Notifications

GitHub is warning of an ongoing phishing campaign that started on September 16 and is targeting its users with emails that impersonate the CircleCI continuous integration and delivery platform.

The bogus messages inform recipients that the user terms and privacy policy have changed and they need to sign into their GitHub account to accept the modifications and keep using the services.

Also Read: CTO-as-a-Service: 5 ways outsourcing can benefit your business

Phishing message sent to many GitHub users
Phishing message sent to many GitHub users (CircleCI)

The threat actors’ goal is to steal GitHub account credentials and two-factor authentication (2FA) codes by relaying them through reverse proxies.

Accounts protected with hardware security keys for multi-factor authentication (MFA) are not vulnerable to this attack.

“While GitHub itself was not affected, the campaign has impacted many victim organizations,” GitHub informs in an advisory on Wednesday.

CircleCI has also posted a notice on its forums to raise awareness of the malicious campaign, explaining that the platform would never ask users to enter credentials to view changes in its terms of service.

Also Read: Outsourced CTO services: How a promising DeFi project scaled quickly

“Any emails from CircleCI should only include links to circleci.com or its sub-domains,” underlines the notice from CircleCI.

If you believe you or someone on your team may have accidentally clicked a link in this email, please immediately rotate your credentials for both GitHub and CircleCI, and audit your systems for any unauthorized activity

The phishing domains that distribute the phishing messages try to mimic those for the official CircleCI (circleci.com). So far, the following have been confirmed:

  • circle-ci[.]com
  • emails-circleci[.]com
  • circle-cl[.]com
  • email-circleci[.]com

After obtaining valid account credentials, the threat actors create personal access tokens (PATs), authorize OAuth apps, and sometimes add SSH keys to the account to persist even after a password reset.

GitHub reports seeing content exfiltration from private repositories almost immediately after compromise. The threat actors use VPN or proxy services to make tracing them more difficult.

If the compromised account has organization management permissions, the hackers create new user accounts and add them to the organization to maintain persistence.

GitHub has suspended accounts where signs of fraud could be identified. The platform has reset passwords for impacted users, who will see personalized notifications about the incident.

If you haven’t received a notice from GitHub but have valid grounds to believe you may be a victim of the phishing campaign, the recommendation is to reset your account password and 2FA recovery codes, review your PATs, and, if possible, start using a hardware MFA key.

GitHub also lists these security checks that all users should regularly perform to ensure that stealthy hackers have not compromised their accounts.

Outsourced Data Protection Officer – It is mandatory to appoint a Data Protection Officer. We help our clients quickly comply with their PDPA & data protection requirements.

Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.

Smart Contract Audit – Leverage our industry-leading suite of blockchain security analysis tools, combined with hands-on review from our veteran smart contract auditors.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Powered by WhatsApp Chat

× Chat with us