monday.com Source Code Has Been Accessed by Codecov Threat Actors
Uber, BBC Studios, Adobe, Universal, Hulu, L’Oreal, and Coca-Cola Are Some of the Platform’s Clients.
monday.com has revealed it had suffered a Codecov supply-chain attack that recently impacted several organizations. During the cyberattack, threat actors accessed a read-only copy of its source code.
monday.com is a project management tool that allows enterprises to manage tasks, projects, and teamwork. As of 2020, the firm serves 100,000 companies, including several non-technical organizations.
As we said in our previous articles, the popular code coverage tool Codecov fell victim to a supply-chain attack. The cyberattack occurred around January 31 2021 when cybercriminals obtained private access to hundreds of networks belonging to Codecov’s users by interfering with one of the company’s software development tools.
The code coverage and testing tools provider made the cyberattack public on April 15, stating that hackers interfered with the Bash Uploader script and modified it. Codecov-actions uploader for GitHub, Codecov CircleCl Orb, and the Codecov Bitrise Step has been compromised.
This allowed threat actors to export information contained in user continuous integration (CI) environments. Hundreds of customers were potentially affected, and now, monday.com has confirmed it has been was one of them.
The organization involuntary disclosed the news in papers filed with the U.S. Securities and Exchange Commission (SEC) while it prepares a stock exchange listing in the country.
Following their inquiry into the cyberattack, monday.com discovered that unauthorized hackers had obtained access to a read-only copy of their source code.
The company claims there is no proof that the attackers made any changes to the source code, nor the attack affected any of its products.
It also stated that the threat actors did access a file holding an inventory of certain URLs pointing to publicly broadcasted client documents and views hosted on their platform and they have reached the relevant customers to tell them how to restore these URLs.
As the organization keeps investigating the attack, at this point there is no evidence that their users’ information has been leaked. monday.com declared that after the attack, they removed Codecov’s entrance to their environment and ceased the service’s employment completely.
Upon learning of this issue, we took immediate mitigation steps, including revoking Codecov access, discontinuing our use of Codecov’s service, rotating keys for all of monday.com’s production and development environments, and retaining leading cybersecurity forensic experts to assist with our investigation.
The monday.com attack comes shortly after US cybersecurity enterprise Rapid7 also revealed it has been one of the Codecov software supply-chain attack victims. Rapid7 said that a small subset of their source code repositories for internal tooling for their MDR service was accessed by an unauthorized party outside of the organization.
Another company affected by the Codecov supply-chain attack is the software organization HashiCorp. According to them, a private code-signing key has been exposed focusing on collecting developer credentials.
Codecov customers who have utilized the Bash Uploaders between January 31, 2021, and April 1, 2021, are urged to re-roll all of their records, tokens, or keys situated in the environment variables in their CI processes.