An unknown number of Rapid 7 customers — and Rapid7 itself — have become the latest victims of security incidents affecting trusted third-party software supply chain partners.
On Friday, Rapid7 disclosed that attackers had accessed some of its source code repositories via a third-party Bash Uploader from Codecov that the security vendor was using in its development environment.
The attackers had previously compromised the uploader and modified it so code and associated data from Rapid7 and other Codecov customer environments would be uploaded to an attacker-controlled server — in addition to Codecov's own systems as intended.
Many companies use Codecov's software to verify how effectively they are testing software in development for security and other issues. Codecov's Bash Uploader script is used to upload certain data — containing credentials, tokens, or keys — from customer CI environments to its own servers.
In January 2021, an attacker gained access to the Bash Uploader by taking advantage of an error in Codecov's Docker image creation process. According to Codecov, the configuration error allowed the attacker to extract a credential for modifying the Bash Uploader script. Codecov did not discover the modification until four months later, in April 2021.
During that period, the attacker used the modified Bash Uploader to access and export data from Codecov customer continuous integration (CI) environments to a remote server. Codecov described the compromised Bash Uploader as giving attackers the ability to potentially extract a range of information from CI environments, including credentials as well as any services, data stores, and application code associated with these credentials.
Rapid7 said that when it learned of the incident at Codecov, it initiated an internal response process to understand how the company might have been affected. The investigation showed that attackers had used the compromised Bash Uploader to access "a small subset" of source code related to tooling for the company's managed detection and response (MDR) service.
"Those repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers," Rapid7 said Friday.
Rapid7 described the use of Codecov's Bash Uploader as being limited to a single CI server set up for its MDR service. As a result, no production environments or other corporate systems were accessed or modified the security vendor said. The small — but undisclosed — number of Rapid7 customers that may have been affected in the attack have all been notified and advised of mitigation measures, Rapid7 said.
Rapid7 and its customers are the latest in a growing list of victims of software supply chain incidents in recent months. The most notable example remains the one that SolarWinds disclosed last December, which affected some 18,000 organizations worldwide. In that incident, a nation-state actor gained access to SolarWinds' development environment and planted a backdoor in software that was later sent out as automatic updates of the company's Orion network management technology. In another incident, an attacker compromised a near-obsolete file transfer technology from Accellion and used it to exfiltrate data from several large organizations.
Concerns over such incidents appear to have prompted President Biden to make software supply chain security a major focus of a new executive order on cybersecurity that he issued last week.
"Rapid7 is the latest in a string of companies to be severely impacted by security supply chain-related attacks," says Kevin Dunne, president of Pathlock. "Security vendors are often high-value targets, as they have deep, trusted access to networks that can provide an effective Trojan horse for bad actors."
Though the impact to Rapid7 customers seems minimal, they need to remain on high alert, Dunne says. He advocates they work closely with Rapid7's incident response and support teams to make any necessary updates. "In the meantime," he adds, "they should monitor activity on their network, applications, and devices to highlight any suspicious behavior coming from Rapid7's software and mitigate any potential threats."
Setu Kulkarni, vice president of strategy at Whitehat Security, says that based on current information, that impact on Rapid7's customers appears minimal. Even so, it is curious that the company would keep MDR-related data in a code repo on a non-production server in the first place. "If it were, did it pass the security controls for data at rest?" Kulkarni asks. "Broadly, [the incident] does highlight why customer-related data should not be stored in code repos and, if anything, dummy anonymized data should be used for testing."