Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

Attackers Compromised Code-Checking Vendor's Tool for Two Months

A script used to upload sensitive reports-with access to credentials and datastores-likely sent information on hundreds, possibly thousands, of companies to attackers.

In a software supply-chain attack reminiscent of the SolarWinds compromise, unknown attackers used a vulnerable tool published by code checking firm Codecov for a little over two months to collect sensitive development information from the company's clients.

Codecov, which provides tools and services to check how well software tests are covering code under development, in a statement published on Friday warned that attackers had modified a command-line upload tools to also send sensitive information to the attackers. At-risk data includes credentials, software tokens, and keys—and the data and code that could be accessed with those secrets—as well as the remote repository information.

Related Content:

Attackers Turn Struggling Software Projects Into Trojan Horses

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

The firm recommended that clients use a script to create a list of credentials that could be accessed by its software and consider those credentials and secrets compromised.

"If anything returned from that command is considered private or sensitive we strongly recommend invalidating the credential and generating a new one," Jerrod Engelberg, CEO of Codecov, said in a statement. "Additionally, we would recommend that you audit the use of these tokens in your system."

Codecov first became aware of the breach on April 1, after a customer reported a discrepancy in the check sum used to verify the integrity and authenticity of the tool. The company began investigating and has brought in federal law enforcement, Codecov said in its statement. The attackers likely had access to the system since the end of January, according to the company's investigation. While CodeCov did not specify how many clients were affected by the breach, its website states that more than 29,000 enterprises use its service.

A breach at a software supplier that could have impacted thousands of client firms puts the attack squarely on the level of the SolarWinds compromise, says Asaf Karas, co-founder and chief technology officer for Vdoo, an Internet-of-Things security platform.

"The Codecov system breach is yet another example that highlights the need to verify and scan any third-party software artifacts introduced to enterprise networks or applications, especially as part of the build chain," he says. "Shell scripts, in particular, aren't being given enough attention and coverage from a security tooling perspective, making them more exploitable and useful for adversaries."

The breach occurred when the attacker exploited a vulnerability in the process Codecov used to create Docker images for its own development. The attacker extracted the credential needed to modify a command-line tool, Bash Uploader, that client used to send reports to the company. The tool, instead, sent reports to a server at a third-party site.

Software supply chains have become a significant target of attackers. Increasingly, attackers have attempted to compromise open-source components and projects, using techniques such as dependency typosquatting or just buying a project outright. In addition, attackers have compromised the update mechanism for widely-used software as a way to deliver malware to customers, a technique used to spread NotPetya, infect users of Piriform's CCleaner, and compromise thousands of enterprises who use SolarWinds' Orion.

Bash Uploader Weaponized

In Codecov's case, the attackers turned the company's Bash Uploader—normally used to send software scanning reports to the company—into a Trojan horse, which also sent information on the victim's software environment, including the credentials needed to access parts of that environment.

As of the evening of April 15, the company had reached out affected customers but stressed that its investigation is ongoing. 

"We are still actively assessing the impact of this event on our customers," the company said, adding, "Out of an abundance of caution, if you used the Bash Uploaders between January 31, 2021 and April 1, 2021 and did not conduct a checksum validation of the Bash Uploader, we would suggest you re-roll all of your credentials, tokens, or keys located in the environment variables in your CI process."

Codecov replaced the malicious script as of April 1 and has taken a number of steps to defend its software and network, including regenerating all internal credentials and software keys and auditing where and how the leaked key was used, the company said. The firm has also begun monitoring the Bash Uploader program to make sure that the same type of attack does not happen in the future, CEO Engelberg said in his statement.

Codecov declined to provide a comment to Dark Reading, beyond its public statement. The company has not attributed the attack to any group or nation-state.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-30
In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function.
PUBLISHED: 2022-06-29
The firmware of EDIMAX IC-3140W Version 3.11 is hardcoded with Administrator username and password.
PUBLISHED: 2022-06-29
Joy ebike Wolf Manufacturing year 2022 is vulnerable to Denial of service, which allows remote attackers to jam the key fob request via RF.
PUBLISHED: 2022-06-29
Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_service.
PUBLISHED: 2022-06-29
Code Injection in GitHub repository getgrav/grav prior to 1.7.34.