GitHub alerted the public that there is an ongoing phishing campaign that is targeting its users by impersonating CircleCI continuous integration and delivery platform. These phishing attacks are designed to steal the targeted user’s account credentials and authentication codes. A successful attack gives threat actors full access to the victims GitHub account. In a recent advisory, GitHub recommended all users to reset their account password and two-factor authentication recovery codes, review your PATs (Personal Access Tokens), and, if possible, start using a hardware MFA (Multi-Factor Authentication) key.
Additionally, Barracuda recommends organizations to implement email protection to proactively defend against phishing threats.
Technical Detail & Additional Information
What is the threat?
The new phishing campaign is designed to steal credentials and authentication codes for GitHub accounts. For an account to be compromised, the user must interact with the fake GitHub login page by entering their credentials along with their MFA code. To-date, the only GitHub accounts that are not affected by this attack are those who use a hardware MFA key. Once the attack is successful, bad actors relay the credentials through reverse proxies. Reverse proxies are servers that typically sit behind a firewall in a private network that redirect traffic to the initially requested server providing security and anonymity. “Any emails from CircleCI should only include links to circleci.com or its sub-domains,” underlines the notice from CircleCI. The false email domains include “circle-ci[.]com”, “emails-circleci[.]com”, “circle-cl[.]com” and “email-circleci[.]com”.
Why is it noteworthy?
GitHub is a highly popular software development and version control service used by organizations. Phishing campaigns are typically sent out to several users, which increases the risk of a compromise to occur within an organization. A service like GitHub has millions of users registered which gives an attacker plenty of targets for a phishing campaign.
What is the exposure or risk?
GitHub hosts troves of source codes for organizations. A successful phish will grant bad actors full access to a user’s account and allow them to perform several actions such as exploit vulnerabilities, blackmailing, monetary gain, and much more. This puts users and organizations at risk of losing resources and gives bad actors access to create unauthorized credentials in the compromised account, even after a password reset, including authentication from PATs, OAuth apps, and SSH (Secure Shell) keys.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of this phishing attack:
- Implement email protection to proactively prevent phishing threats.
- Reset your account password and 2FA recovery codes.
- Review your Personal Access Tokens.
- If applicable, start using a hardware MFA key.
- Review the GitHub “Preventing unauthorized access” documentation. https://discuss.circleci.com/t/circleci-security-alert-warning-phishing-attempt-for-login-credentials/45408
- Report any false email domains including: “circle-ci[.]com”, “emails-circleci[.]com”, “circle-cl[.]com” and “email-circleci[.]com”.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/hackers-stealing-github-accounts-using-fake-circleci-notifications/
- https://github.blog/2022-09-21-security-alert-new-phishing-campaign-targets-github-users/
- https://www.phishing.org/what-is-phishing
- https://www.nginx.com/resources/glossary/reverse-proxy-server/
- https://discuss.circleci.com/t/circleci-security-alert-warning-phishing-attempt-for-login-credentials/45408
- https://github.com/
- https://flare.systems/learn/resources/blog/preventing-identifying-source-code-leaks-a-flare-guide/
If you have any questions, please contact our Security Operations Center.