Rapid7 Source Code Accessed in Codecov Supply-Chain Breach
Codecov Tools Compromised in Last Month’s Supply-Chain Attack Were Not Used to Work With Production Code, the Firm Says.
US cybersecurity enterprise Rapid7 has revealed it has been one of the Codecov software supply chain attack victims and alerted last week that data for a subset of its clients was obtained during the breach.
The cybersecurity organization declared an internal examination discovered that “a small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7.”
The company stated:
These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers.
No other corporate systems or production environments were accessed, and no unauthorized changes to these repositories were made.
The firm has already informed those who might have been affected by the attack in order to take action to reduce any possible danger.
Rapid7 added that the Codecov tools compromised in last month’s supply-chain attack were not used to work with production code.
Our use of Codecov’s Bash Uploader script was limited: it was set up on a single CI server used to test and build some internal tooling for our Managed Detection and Response (MDR) service.
We were not using Codecov on any CI server used for product code.
Codecov cyberattack occurred around January 31 2021 when cybercriminals obtained private access to hundreds of networks belonging to Codecov’s users by interfering with one of the company’s software development tools.
The code coverage and testing tools provider made the cyber attack public on April 15, stating that hackers interfered with the Bash Uploader script and modified it. Codecov-actions uploader for GitHub, Codecov CircleCl Orb, and the Codecov Bitrise Step has been compromised.
This allowed threat actors to export information contained in user continuous integration (CI) environments. Hundreds of customers were potentially affected, and now, Rapid7 has confirmed that the company was one of them.
The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.
Rapid7 firmly assured there’s no proof that other corporate systems or production environments were accessed, or that any malicious modifications were made to those repositories.
The organization also added its employment of the Uploader script was restricted to a single CI server that was utilized to test and build some internal tools for its Managed Detection and Response (MDR) service.
Affected clients were informed via email addresses on record and through the Codecov app.
Codecov customers who have utilized the Bash Uploaders between January 31, 2021, and April 1, 2021, are urged to re-roll all of their records, tokens, or keys situated in the environment variables in their CI processes.