Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:57 PM

Attackers Compromised Code-Checking Vendor's Tool for Two Months

A script used to upload sensitive reports-with access to credentials and datastores-likely sent information on hundreds, possibly thousands, of companies to attackers.

In a software supply-chain attack reminiscent of the SolarWinds compromise, unknown attackers used a vulnerable tool published by code checking firm Codecov for a little over two months to collect sensitive development information from the company's clients.

Codecov, which provides tools and services to check how well software tests are covering code under development, in a statement published on Friday warned that attackers had modified a command-line upload tools to also send sensitive information to the attackers. At-risk data includes credentials, software tokens, and keys—and the data and code that could be accessed with those secrets—as well as the remote repository information.

Related Content:

Attackers Turn Struggling Software Projects Into Trojan Horses

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

The firm recommended that clients use a script to create a list of credentials that could be accessed by its software and consider those credentials and secrets compromised.

"If anything returned from that command is considered private or sensitive we strongly recommend invalidating the credential and generating a new one," Jerrod Engelberg, CEO of Codecov, said in a statement. "Additionally, we would recommend that you audit the use of these tokens in your system."

Codecov first became aware of the breach on April 1, after a customer reported a discrepancy in the check sum used to verify the integrity and authenticity of the tool. The company began investigating and has brought in federal law enforcement, Codecov said in its statement. The attackers likely had access to the system since the end of January, according to the company's investigation. While CodeCov did not specify how many clients were affected by the breach, its website states that more than 29,000 enterprises use its service.

A breach at a software supplier that could have impacted thousands of client firms puts the attack squarely on the level of the SolarWinds compromise, says Asaf Karas, co-founder and chief technology officer for Vdoo, an Internet-of-Things security platform.

"The Codecov system breach is yet another example that highlights the need to verify and scan any third-party software artifacts introduced to enterprise networks or applications, especially as part of the build chain," he says. "Shell scripts, in particular, aren't being given enough attention and coverage from a security tooling perspective, making them more exploitable and useful for adversaries."

The breach occurred when the attacker exploited a vulnerability in the process Codecov used to create Docker images for its own development. The attacker extracted the credential needed to modify a command-line tool, Bash Uploader, that client used to send reports to the company. The tool, instead, sent reports to a server at a third-party site.

Software supply chains have become a significant target of attackers. Increasingly, attackers have attempted to compromise open-source components and projects, using techniques such as dependency typosquatting or just buying a project outright. In addition, attackers have compromised the update mechanism for widely-used software as a way to deliver malware to customers, a technique used to spread NotPetya, infect users of Piriform's CCleaner, and compromise thousands of enterprises who use SolarWinds' Orion.

Bash Uploader Weaponized

In Codecov's case, the attackers turned the company's Bash Uploader—normally used to send software scanning reports to the company—into a Trojan horse, which also sent information on the victim's software environment, including the credentials needed to access parts of that environment.

As of the evening of April 15, the company had reached out affected customers but stressed that its investigation is ongoing. 

"We are still actively assessing the impact of this event on our customers," the company said, adding, "Out of an abundance of caution, if you used the Bash Uploaders between January 31, 2021 and April 1, 2021 and did not conduct a checksum validation of the Bash Uploader, we would suggest you re-roll all of your credentials, tokens, or keys located in the environment variables in your CI process."

Codecov replaced the malicious script as of April 1 and has taken a number of steps to defend its software and network, including regenerating all internal credentials and software keys and auditing where and how the leaked key was used, the company said. The firm has also begun monitoring the Bash Uploader program to make sure that the same type of attack does not happen in the future, CEO Engelberg said in his statement.

Codecov declined to provide a comment to Dark Reading, beyond its public statement. The company has not attributed the attack to any group or nation-state.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-29
Zoho ManageEngine ServiceDesk Plus before 11306 is vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
PUBLISHED: 2021-11-29
S3Scanner before 2.0.2 allows Directory Traversal via a crafted bucket, as demonstrated by a <Key>../ substring in a ListBucketResult element.
PUBLISHED: 2021-11-28
A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell
PUBLISHED: 2021-11-28
ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')