Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/20/2021
04:57 PM
50%
50%

Attackers Compromised Code-Checking Vendor's Tool for Two Months

A script used to upload sensitive reports-with access to credentials and datastores-likely sent information on hundreds, possibly thousands, of companies to attackers.

In a software supply-chain attack reminiscent of the SolarWinds compromise, unknown attackers used a vulnerable tool published by code checking firm Codecov for a little over two months to collect sensitive development information from the company's clients.

Codecov, which provides tools and services to check how well software tests are covering code under development, in a statement published on Friday warned that attackers had modified a command-line upload tools to also send sensitive information to the attackers. At-risk data includes credentials, software tokens, and keys—and the data and code that could be accessed with those secrets—as well as the remote repository information.

Related Content:

Attackers Turn Struggling Software Projects Into Trojan Horses

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

The firm recommended that clients use a script to create a list of credentials that could be accessed by its software and consider those credentials and secrets compromised.

"If anything returned from that command is considered private or sensitive we strongly recommend invalidating the credential and generating a new one," Jerrod Engelberg, CEO of Codecov, said in a statement. "Additionally, we would recommend that you audit the use of these tokens in your system."

Codecov first became aware of the breach on April 1, after a customer reported a discrepancy in the check sum used to verify the integrity and authenticity of the tool. The company began investigating and has brought in federal law enforcement, Codecov said in its statement. The attackers likely had access to the system since the end of January, according to the company's investigation. While CodeCov did not specify how many clients were affected by the breach, its website states that more than 29,000 enterprises use its service.

A breach at a software supplier that could have impacted thousands of client firms puts the attack squarely on the level of the SolarWinds compromise, says Asaf Karas, co-founder and chief technology officer for Vdoo, an Internet-of-Things security platform.

"The Codecov system breach is yet another example that highlights the need to verify and scan any third-party software artifacts introduced to enterprise networks or applications, especially as part of the build chain," he says. "Shell scripts, in particular, aren't being given enough attention and coverage from a security tooling perspective, making them more exploitable and useful for adversaries."

The breach occurred when the attacker exploited a vulnerability in the process Codecov used to create Docker images for its own development. The attacker extracted the credential needed to modify a command-line tool, Bash Uploader, that client used to send reports to the company. The tool, instead, sent reports to a server at a third-party site.

Software supply chains have become a significant target of attackers. Increasingly, attackers have attempted to compromise open-source components and projects, using techniques such as dependency typosquatting or just buying a project outright. In addition, attackers have compromised the update mechanism for widely-used software as a way to deliver malware to customers, a technique used to spread NotPetya, infect users of Piriform's CCleaner, and compromise thousands of enterprises who use SolarWinds' Orion.

Bash Uploader Weaponized

In Codecov's case, the attackers turned the company's Bash Uploader—normally used to send software scanning reports to the company—into a Trojan horse, which also sent information on the victim's software environment, including the credentials needed to access parts of that environment.

As of the evening of April 15, the company had reached out affected customers but stressed that its investigation is ongoing. 

"We are still actively assessing the impact of this event on our customers," the company said, adding, "Out of an abundance of caution, if you used the Bash Uploaders between January 31, 2021 and April 1, 2021 and did not conduct a checksum validation of the Bash Uploader, we would suggest you re-roll all of your credentials, tokens, or keys located in the environment variables in your CI process."

Codecov replaced the malicious script as of April 1 and has taken a number of steps to defend its software and network, including regenerating all internal credentials and software keys and auditing where and how the leaked key was used, the company said. The firm has also begun monitoring the Bash Uploader program to make sure that the same type of attack does not happen in the future, CEO Engelberg said in his statement.

Codecov declined to provide a comment to Dark Reading, beyond its public statement. The company has not attributed the attack to any group or nation-state.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27952
PUBLISHED: 2021-08-03
Hardcoded default root credentials exist on the ecobee3 lite 4.5.81.200 device. This allows a threat actor to gain access to the password-protected bootloader environment through the serial console.
CVE-2021-27953
PUBLISHED: 2021-08-03
A NULL pointer dereference vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to cause a denial of service, forcing the device to reboot via a crafted HTTP request.
CVE-2021-27954
PUBLISHED: 2021-08-03
A heap-based buffer overflow vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HKProcessConfig function of the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to force the device to connect to a SSID or cause a denial of service.
CVE-2021-31630
PUBLISHED: 2021-08-03
Command Injection in Open PLC Webserver v3 allows remote attackers to execute arbitrary code via the "Hardware Layer Code Box" component on the "/hardware" page of the application.
CVE-2021-32772
PUBLISHED: 2021-08-03
Poddycast is a podcast app made with Electron. Prior to version 0.8.1, an attacker can create a podcast or episode with malicious characters and execute commands on the client machine. The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows ...