Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:10 PM
Connect Directly

Rapid7 Is the Latest Victim of a Software Supply Chain Breach

Security vendor says attackers accessed some of its source code using a previously compromised Bash Uploader script from Codecov.

An unknown number of Rapid 7 customers — and Rapid7 itself — have become the latest victims of security incidents affecting trusted third-party software supply chain partners.

On Friday, Rapid7 disclosed that attackers had accessed some of its source code repositories via a third-party Bash Uploader from Codecov that the security vendor was using in its development environment.

Related Content:

7 Things We Know So Far About the SolarWinds Attacks

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Faster COVID-19 Research Is Being Made Possible by Secure Silicon

The attackers had previously compromised the uploader and modified it so code and associated data from Rapid7 and other Codecov customer environments would be uploaded to an attacker-controlled server — in addition to Codecov's own systems as intended.

Many companies use Codecov's software to verify how effectively they are testing software in development for security and other issues. Codecov's Bash Uploader script is used to upload certain data — containing credentials, tokens, or keys — from customer CI environments to its own servers.

In January 2021, an attacker gained access to the Bash Uploader by taking advantage of an error in Codecov's Docker image creation process. According to Codecov, the configuration error allowed the attacker to extract a credential for modifying the Bash Uploader script. Codecov did not discover the modification until four months later, in April 2021.

During that period, the attacker used the modified Bash Uploader to access and export data from Codecov customer continuous integration (CI) environments to a remote server. Codecov described the compromised Bash Uploader as giving attackers the ability to potentially extract a range of information from CI environments, including credentials as well as any services, data stores, and application code associated with these credentials.

Rapid7 said that when it learned of the incident at Codecov, it initiated an internal response process to understand how the company might have been affected. The investigation showed that attackers had used the compromised Bash Uploader to access "a small subset" of source code related to tooling for the company's managed detection and response (MDR) service.

"Those repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers," Rapid7 said Friday.

Rapid7 described the use of Codecov's Bash Uploader as being limited to a single CI server set up for its MDR service. As a result, no production environments or other corporate systems were accessed or modified the security vendor said. The small — but undisclosed — number of Rapid7 customers that may have been affected in the attack have all been notified and advised of mitigation measures, Rapid7 said.

Growing List
Rapid7 and its customers are the latest in a growing list of victims of software supply chain incidents in recent months. The most notable example remains the one that SolarWinds disclosed last December, which affected some 18,000 organizations worldwide. In that incident, a nation-state actor gained access to SolarWinds' development environment and planted a backdoor in software that was later sent out as automatic updates of the company's Orion network management technology. In another incident, an attacker compromised a near-obsolete file transfer technology from Accellion and used it to exfiltrate data from several large organizations.

Concerns over such incidents appear to have prompted President Biden to make software supply chain security a major focus of a new executive order on cybersecurity that he issued last week.

"Rapid7 is the latest in a string of companies to be severely impacted by security supply chain-related attacks," says Kevin Dunne, president of Pathlock. "Security vendors are often high-value targets, as they have deep, trusted access to networks that can provide an effective Trojan horse for bad actors."

Though the impact to Rapid7 customers seems minimal, they need to remain on high alert, Dunne says. He advocates they work closely with Rapid7's incident response and support teams to make any necessary updates. "In the meantime," he adds, "they should monitor activity on their network, applications, and devices to highlight any suspicious behavior coming from Rapid7's software and mitigate any potential threats."

Setu Kulkarni, vice president of strategy at Whitehat Security, says that based on current information, that impact on Rapid7's customers appears minimal. Even so, it is curious that the company would keep MDR-related data in a code repo on a non-production server in the first place. "If it were, did it pass the security controls for data at rest?" Kulkarni asks. "Broadly, [the incident] does highlight why customer-related data should not be stored in code repos and, if anything, dummy anonymized data should be used for testing."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...