Hundreds of networks reportedly hacked in Codecov supply-chain attack

silversurfer

Level 73
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,216
More details have emerged on the recent Codecov system breach which is now being likened to the SolarWinds hack.

In new reporting by Reuters, investigators have stated that hundreds of customer networks have been breached in the incident, expanding the scope of this system breach beyond just Codecov's systems.

As reported by BleepingComputer last week, Codecov had suffered a supply-chain attack that went undetected for over 2-months.

In this attack, threat actors had gained Codecov's credentials from their flawed Docker image that the actors then used to alter Codecov's Bash Uploader script, used by the company's clients.

By replacing Codecov's IP address with their own in the Bash Uploader script, the attackers paved a way to silently collect Codecov customers' credentials—tokens, API keys, and anything stored as environment variables in the customers' continuous integration (CI) environments.
According to federal investigators, Codecov attackers deployed automation to use the collected customer credentials to tap into hundreds of client networks, thereby expanding the scope of this system breach beyond just Codecov's systems.

"The hackers put extra effort into using Codecov to get inside other makers of software development programs, as well as companies that themselves provide many customers with technology services, including IBM," a federal investigator anonymously told Reuters.

By abusing the customer credentials collected via the Bash Uploader script, hackers could potentially gain credentials for thousands of other restricted systems, according to the investigator.
 

silversurfer

Level 73
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,216
As of a few hours ago, Codecov has started notifying the maintainers of software repositories affected by the recent supply-chain attack.

These notifications, delivered via both email and the Codecov application interface, state that the company believes the affected repositories were downloaded by threat actors.

The original security advisory posted by Codecov lacked any Indicators of Compromise (IOCs) due to a pending investigation.

However, Codecov has now disclosed multiple IP addresses as IOCs that were used by the threat actors to collect sensitive information (environment variables) from the affected customers.

Codecov provides software auditing and code coverage services to projects, along with the ability to generate test reports and statistics.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,360
Boston-based security firm Rapid7 disclosed today that a threat actor accessed some of its source code after a hack at software supplier Codecov earlier this year.

Through today’s announcement, Rapid7 becomes the fourth company to admit to a second-hand breach because of the Codecov incident, where hackers accessed the company’s internal network and hid a credentials-harvesting module inside its Bash Uploader tool. Two days shy of a month after Codecov disclosed its breach, Rapid7 now joins software maker Hashicorp, cloud provider Confluent, and voice calling service Twilio as the only companies to publicly admit to having been impacted.
 
Top