Security Guidance
6 minutes

CircleCI and Slack Security Incidents Highlight Risks of Token Compromise and SaaS Integration Threats

CircleCI and Slack Security Incidents

CircleCI offers a continuous integration and delivery platform for software development. A recent breach provides an opportunity to learn about growing SaaS security threats.

Per the company’s investigation, an attacker installed malware on a CircleCI employee’s laptop while the “malware was not detected by our antivirus software.” This malware helped the attacker steal employee session tokens, backed by MFA. The targeted employee had privileged access to their production system.  The stolen tokens enabled the attacker to “impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.” This includes the stored Github token for their customers’ Github environment. 

Coincidentally, Slack posted about a security incident, which occurred on the same day when CircleCI was notified of suspicious activities. In that incident, one of Slack’s vendors was breached resulting in the compromise of a Slack employee’s Github token, and private repository access. We do not have confirmation that these incidents are related.  However, taken together, they illustrate two significant risks to SaaS users: session hijacking and integration threat. Read on to learn more about these threats.

What is Session Hijacking?

Session hijacking is a technique where a hacker takes possession of a user’s legitimate session and uses it to gain unauthorized access to the user’s account. Authenticated sessions allow attackers to bypass multi-factor authentication (MFA) and single-sign-on (SSO) controls. 

When a session is hijacked, a hacker is able to obtain a copy of a user’s session cookie, which is a small piece of data that is sent from a website to a user’s computer and is used to identify the user’s session. If a hacker is able to obtain a copy of this cookie, they can use it to impersonate the user and perform actions on the website as if they were the user.

Once an attacker has a session token, they have persistent access until the token is revoked or expired.  Additionally, once in, a hacker can launch lateral attacks on different systems including cloud databases and workloads, when an SSO master token is in the hand of a threat actor.

Token theft is a common objective of session hijacking. Typically, tokens can be stolen by installing malware onto a victim’s browser or OS. Successfully launching a phishing attack is another way to get hands on a victim’s session. A hacker could take possession of a user’s session cookie through credential exchange after successful social engineering attacks, in which the hacker tricks the user into revealing their login credentials.

Watch Glenn Chisholm, Obsidian CPO and co-founder, explain session hijacking basics.

How Obsidian Helps Customers Defend Against SaaS Session Hijacking

To accurately identify token theft and other compromises within your SaaS environment, Obsidian begins with a consolidated understanding of your users, activities, permissions, and configurations from across your core applications. This data is normalized, enriched with context and threat intel, and ultimately populated into a central knowledge graph of your SaaS environment. This serves as the foundation for our models to detect malicious activity in its earliest stages, giving your team the chance to mitigate threats before sensitive data is being exfiltrated.

Because Obsidian carefully examines and analyzes details about the users and client connections to the identity provider and SaaS applications, we detect the potentially subtle anomalies consistent with token capture and reuse by an attacker. When this is identified, our platform immediately flags the event for your security team, providing a single timeline of events related to the attack and a clear path for prompt remediation.

You can learn more about how you can defend against session hijacking attacks here.  

What is SaaS Integration Threat?

Connected SaaS applications have many moving parts including integrations, settings and controls. Users are responsible for some settings while others are controlled by IT or a security team. When users install unauthorized software, sometimes they connect that software to core corporate applications like Salesforce, M365, and Google Workspace.  It is important to have a vendor security assessment process to determine whether you should allow an integration with that vendor upfront.

But even authorized integrations can create risks because third-party vendors could be compromised as an indirect attack on an organization.  All of these integrations expand your integration risk threatscape so it is important to have visibility into those application behaviors on the go so that anomalies can be detected. 

When one integrated application is compromised, depending on the integration and access privileges granted to that vendor, an attacker could make a lateral move within a SaaS environment to read data, tamper, and delete data. The attacker could also escalate their privileges via this attack vector into your organization to do additional damage. When these scenarios occur, the faster the security team is aware of a breach, the faster it can be contained or eliminated, potentially defending your customer data, saving millions and your corporate reputation.

One of the more common types of integration threats is when attackers gain access to legitimate credentials.  Watch this video to learn the fundamentals of OAuth abuse.

How Obsidian Helps Customers Defend Against Integration Threat

Obsidian combats integration threats by inventorying all third-party integrations with high-risk access into the SaaS environment and building a profile of typical behaviors and activity patterns. Machine learning models continuously evaluate the way these integrations are behaving to identify anomalies indicative of a compromise. Prompt detection enables security to take timely corrective actions that remove an attacker’s access and their ability to exfiltrate sensitive corporate data.  This process provides an inventory of unauthorized SaaS applications and integrations in use so that administrators can decide whether to delete specific integrations. 

The reality is that a single employee, with a few clicks, can change an organization’s security posture. Knowing when this happens quickly, empowers a security team to reduce or mitigate potential dangers.

Get a Free SaaS Security Risk Assessment 

Want to see how your SaaS environment stacks up? Get a free SaaS security risk assessment that comes with a full report of your SaaS posture with actionable steps you can take to mitigate SaaS session hijacking attempts and integration threats.