The Week in Breach: Codecov causes supply-chain nightmares

Make sure to add us or contact us for the latest news



Codecov breach impacted ‘hundreds’ of customer networks


ZDNETCodecov breach impacted ‘hundreds’ of customer networks: report

Updated: Reports suggest the initial hack may have led to a more extensive supply chain attack.

DevOps tool provider Codecov’s security breach has impacted “hundreds” of clients according to new information surrounding the incident.

US investigators examining the case told Reuters on Tuesday that the attackers responsible for the hack managed to exploit not only Codecov software, but also potentially used the organization as a springboard to compromise a huge number of customer networks.

Based in San Francisco, Codecov offers code coverage and software testing tools. The aim is to allow users to deploy “healthier” code during the DevOps cycle, but on or around January 31, 2021, an unknown attacker was able to exploit an error in Codecov’s Docker image creation process to tamper with the Codecov Bash Uploader script.

This has led to the potential export of information stored in users’ continuous integration (CI) environments.

Speaking on condition of anonymity to the news agency, one of the investigators said attackers used automation to collect credentials as well as “raid additional resources,” which may have included data hosted on the networks of other software development program vendors, including IBM.

An IBM spokesperson told Reuters that, as of now, there does not seem to be any “modifications of code involving clients” or the company itself.

Codecov accounts for over 29,000 overall enterprise clients. The organization also works extensively with the open source community and startups.

The initial compromise and backdoor in the Bash Uploader script were discovered on April 1, impacting Codecov’s full set of “Bash Uploaders” including the Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step.

It is possible that the supply chain attack, made possible by compromising a resource used by other organizations, may have resulted in the theft of credentials, tokens, and keys running through client CIs, as well as “services, datastores, and application code that could be accessed with these credentials,” according to Codecov.

In addition, URLs of origin repositories using the Bash Uploaders may have been exposed.

Codecov said the issue has since been fixed and impacted customers were notified via email addresses on file on April 15. It is recommended that users roll their credentials if they have not already done so.

Codecov is also rotating internal credentials and has pulled in a third-party cyberforensics firm to conduct an audit. A new monitoring system is also being created to pretend such “unintended changes” from happening in the future.

“Codecov maintains a variety of information security policies, procedures, practices, and controls,” commented Jerrod Engelberg, Codecov CEO. “We continually monitor our network and systems for unusual activity, but Codecov, like any other company, is not immune to this type of event.”

Due to the potential ramifications of this attack, the FBI is also involved. The ongoing federal investigation has led to suggestions the Codecov situation could be likened to SolarWinds, in which the software vendor’s network was compromised in order to deploy a malicious software update to clients in a separate supply chain attack.

Last week, the FBI, NSA, CISA, and UK government formally blamed cyberattackers working for Russian intelligence for the SolarWinds incident.

Update 14.43 BST: Codecov declined to comment further and referred us to the company’s previous statement.


Dark Web ID’s Top Threats This Week


 

United States – LogicGate

https://techcrunch.com/2021/04/13/logicgate-risk-cloud-data-breach/

Exploit: Hacking

LogicGate: Software Company

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.631= Severe

LogicGate notified customers that an unauthorized third party obtained credentials to its Amazon Web Services-hosted cloud storage servers storing customer backup files for its flagship platform Risk Cloud in 02/21. The risk and complaince specialty firm noted that only data uploaded on or prior to 02/23/21 would have been included in that backup file. The company said that an unauthorized third party was able to use filched credentials to decrypt files stored in AWS S3 buckets in the LogicGate Risk Cloud backup environment.

Individual Impact: No sensitive personal or financial information was announced as compromised in this incident, but the investigation is ongoing.

Customers Impacted: Unknown

How It Could Affect Customers’ Business: Hacking into databases is a profitable enterprise for cybercriminals. Ebsuring that you’re using strong security for information storage is a modern essential.

IntegraMSP to the Rescue: Make sure that everyone on the IT team is up to date on today’s threats and ready for tomorrow’s with the tips and tricks in “The Security Awareness Champion’s Guide“. GET THIS FREE BOOK>>


United States – Codecov

https://therecord.media/codecov-discloses-2-5-month-long-supply-chain-attack/

Exploit: Third Party Data Breach

Codecov: Software and Cloud Developer

cybersecurity news gauge indicating extreme risk

Risk to Business: 1.337 = Extreme

Codecov is facing a mess after a threat actor managed to breach its platform and add a credentials harvester to one of its tools, Bash Uploader  Codecov said the breach occurred “because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.” The attacker gained access to the Bash Uploader script sometime in 01/21 and made periodic changes to add malicious code that would intercept uploads and scan and collect any sensitive information like credentials, tokens, or keys. Unfortunately, the bad guys had 2.5 months to run wild – the breach wasn’t discovered until 04/01. The damage isn’tlimited to only to clients who used the Bash Uploader script, either. Because the script is also embedded in other products, a large chunk of the company’s customers may be affected.

Individual Impact: No sensitive personal or financial information was announced as compromised in this incident, but the investigation is ongoing.

Customers Impacted: Unknown

How it Could Affect Your Business Not only did Codecov fall victim to a cyberattack that adulterated its product, it didn’t find out for 2.5 months. Not a good look.

IntegraMSP to the Rescue: Make sure that you’re covering all of the bases to avoid breaches and nasty regulatory action with our Cybersecurity Risk Protection Checklist. GET THE CHECKLIST>>


1 – 1.5 = Extreme Risk

1.51 – 2.49 = Severe Risk

2.5 – 3 = Moderate Risk

Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.