- GitHub Security announced that hackers are targeting GitHub users with a phishing campaign by impersonating CircleCI.
- The phishing site looks like the GitHub login page and steals users’ credentials and 2-factor authentication codes once entered.
- After stealing the credentials, hackers create GitHub personal access tokens, authorize OAuth applications, or add SSH keys to preserve access.
Account credentials and 2FA
Similar to any other phishing attack, the email leads to a fake GitHub login page and tries to steal the users’ GitHub account credentials and two-factor authentication codes. Some of the domains used in the phishing campaign are:
CircleCI also posted a notice for its users and stated that the platform wouldn’t ask users to enter credentials to view changes in the terms of service. The company also said,
« If you believe you or someone on your team may have accidentally clicked a link in this email, please immediately rotate your credentials for both GitHub and CircleCI, and audit your systems for any unauthorized activity. »
On 9/14/22 we became aware of a phishing attempt for customers' CircleCI & GitHub credentials. We have no reason to believe any accounts were compromised but want customers to be aware of this ongoing phishing attack & exercise due caution.
— CircleCI (@CircleCI) September 16, 2022
Once the attackers steal the credentials, they can create personal access tokens, authorize OAuth apps, and even add SSH keys to the account thus it persists if the user resets the password. GitHub stated that attackers using VPN or proxy services started exfiltration from private repositories after they compromise. The attackers are also creating new user accounts to add them to the organizations if the compromised account has organization management features. GitHub published a list of security checks for users to stay safe. GitHub also said,
« Upon conducting our analysis, we reset passwords and removed threat actor-added credentials for impacted users, and we notified all of the known-affected users and organizations that we discovered through our analysis. If you did not receive an email notice from us, then we do not have evidence that your account and/or organization was accessed by the threat actor at this time. We suspended all identified threat actor accounts, and we will continue to monitor for malicious activity and notify new victim users and organizations as needed. »