Codecov Breach

OVERVIEW | Codecov Breach

Supply chain attacks are far from new. We previously covered the SolarWinds attack, which may be the biggest software supply chain attack disclosed, as well as the most damaging supply chain attack to users. In more recent news, a new cyber-attack similar to the SolarWinds attack was discovered on a software testing platform – Codecov, which is a supplier of code management and audit solutions.

Codecov first discovered the attack on April 1^st, disclosing this to the public on April 15^th. However, investigations into the attack suggest that it first occurred months earlier, possibly as far back as January 31^st, yet went unnoticed for several months. The adversary was able to gain access to Codecov’s Bash Uploader script using credentials stolen by exploiting an error in Codecov’s Docker image creation process. The adversary then replaced Codecov’s IP address within the Bash Uploader script to the adversary’s own IP address, rerouting the data to send information to the adversary instead of Codecov.

The altered version of the Bash Uploader script could potentially affect the following references from Codecov:

• Any credentials, tokens, or keys that were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
• Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
• The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

Moving Forward

Proficio’s Threat Intelligence Team has been diligently researching the attack and how it may have affected our clients. There will be a continuous and ongoing effort to help ensure that all our clients are not being compromised by this campaign, through the following:

• Gathering of IOCs and TTPs of the attack
  • Although no IP addresses of the third-party servers were disclosed to the public, our team is currently researching on the TTPs to potentially identify traffic on data exfiltration attempt
• Performing threat hunting on potential exfiltration of data associated with campaign against our client SIEMs for the past three months
• Documenting and investigating any potential incidents
• Providing updates of threat hunting results to all Client Success Manager and Security Advisors, so they can alert clients, as applicable

General Recommendations

Given that the breach is newly discovered, there is still a lot of uncertainty as to how much damage it can bring to victim systems. As such, we always recommend our clients to keep the systems, and in this case, the scripts patched and up to date.

Clients that utilize Codecov as a service are strongly advised to run through Codecov’s recommendation and guidelines. For any Proficio clients who are unsure about logs investigations, please reach out to your assigned Client Success Manager or Security Advisors for the next steps.

Reference link

• https://about.codecov.io/security-update/
• https://www.bleepingcomputer.com/news/security/hundreds-of-networks-reportedly-hacked-in-codecov-supply-chain-attack/
• https://www.reuters.com/technology/us-investigators-probing-breach-san-francisco-code-testing-company-firm-2021-04-16/
• https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/
• https://www.zdnet.com/article/codecov-breach-impacted-hundreds-of-customer-networks/
• https://latesthackingnews.com/2021/04/26/codecov-breach-following-supply-chain-attack-affected-hundreds-of-networks/