GitHub is warning of an ongoing phishing campaign that started on September 16 and is targeting its users with emails that impersonate the CircleCI continuous integration and delivery platform.
The bogus messages inform recipients that the user terms and privacy policy have changed and they need to sign into their GitHub account to accept the modifications and keep using the services.
The threat actors’ goal is to steal GitHub account credentials and two-factor authentication (2FA) codes by relaying them through reverse proxies.
Accounts protected with hardware security keys for multi-factor authentication (MFA) are not vulnerable to this attack.
“While GitHub itself was not affected, the campaign has impacted many victim organizations,” GitHub informs in an advisory on Wednesday.
CircleCI has also posted a notice on its forums to raise awareness of the malicious campaign, explaining that the platform would never ask users to enter credentials to view changes in its terms of service.
“Any emails from CircleCI should only include links to circleci.com or its sub-domains,” underlines the notice from CircleCI.
If you believe you or someone on your team may have accidentally clicked a link in this email, please immediately rotate your credentials for both GitHub and CircleCI, and audit your systems for any unauthorized activity
The phishing domains that distribute the phishing messages try to mimic those for the official CircleCI (circleci.com). So far, the following have been confirmed:
circle-ci[.]com
emails-circleci[.]com
circle-cl[.]com
email-circleci[.]com
After obtaining valid account credentials, the threat actors create personal access tokens (PATs), authorize OAuth apps, and sometimes add SSH keys to the account to persist even after a password reset.
GitHub reports seeing content exfiltration from private repositories almost immediately after compromise. The threat actors use VPN or proxy services to make tracing them more difficult.
If the compromised account has organization management permissions, the hackers create new user accounts and add them to the organization to maintain persistence.
GitHub has suspended accounts where signs of fraud could be identified. The platform has reset passwords for impacted users, who will see personalized notifications about the incident.
If you haven’t received a notice from GitHub but have valid grounds to believe you may be a victim of the phishing campaign, the recommendation is to reset your account password and 2FA recovery codes, review your PATs, and, if possible, start using a hardware MFA key.
GitHub also lists these security checks that all users should regularly perform to ensure that stealthy hackers have not compromised their accounts.