Code Testing Company Codecov Hit with Supply-Chain Attack
Security Researchers Noted That the Hack Potentially Affected Hundreds of Customers and Software Projects.
Hackers used Codecov’s software development tool to gain restricted access to hundreds of networks belonging to the San Francisco firm’s customers, Reuters reports.
Codecov is a software testing coverage report provider. The company makes software auditing tools that allow developers to see how thoroughly their own code is being tested, a process that can give the tool access to stored credentials for multiple internal software accounts. The platform is used to test software code for vulnerabilities, and its 29,000 clients include Atlassian, Proctor & Gamble, GoDaddy, and the Washington Post.
Although the breach occurred in January, it was not discovered until April 1st, when a customer noticed something was wrong with the tool.
On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.
Immediately upon becoming aware of the issue, Codecov secured and remediated the affected script and began investigating any potential impact on users. A third-party forensic firm has been engaged to assist us in this analysis. We have reported this matter to law enforcement and are fully cooperating with their investigation.
Cybersecurity analysts discovered that an unknown threat actor exploited an error in Codecov’s Docker container image creation process, and gained access to the credential that allowed the modification to the company’s Bash Uploader script.
Attackers used automation to copy those credentials fast and raid additional resources, expanding the breach beyond the initial disclosure by Codecov on Thursday.
Threat actors put extra effort into using Codecov to get inside other software development programs, as well as companies that provide many customers with technology services, including IBM.
Many projects affected, see https://t.co/FoUo4UFiDP
👉 check your logs
(that’s how I’ve found it – in a VT Retrohunt)
— Florian Roth (@cyb3rops) April 16, 2021
Following the incident, IBM and other companies said that their code had not been compromised, but did not address whether access credentials to their systems had been exfiltrated.
According to Codecov CEO Jerrod Engelberg, the modified version of the tool could have affected:
- Credentials, tokens, or keys that customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
- Services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
- The git remote information of repositories using the Bash Uploaders to upload coverage to Codecov in CI.
While the magnitude of the breach remains unclear, Reuters investigators note that it could potentially have a similar impact as the SolarWinds hack, where threat actors associated with the Russian government compromised SolarWinds’ monitoring and management software. At least nine federal agencies and more than 250 entities were exposed to the breach, including Nvidia, Cisco, and Belkin.