Rapid7 says that the supply chain attack related to Codecov’s continuous integration (CI) systems exposed a subset of its source code and customer data. The company became the third major tech company to admit being compromised from the Codecov supply chain attack.
On April 15, Codecov warned its customers that hackers had introduced a backdoor in the Bash Uploader script since January 31, 2021. Consistent with Rapid7’s breach, the company had warned that hackers could potentially download its customers’ code repositories
The cybersecurity firm said it didn’t use Codecov’s CI server for its end products.
“Our use of Codecov’s Bash Uploader script was limited: it was set up on a single CI server used to test and build some internal tooling for our Managed Detection and Response (MDR) service. We were not using Codecov on any CI server used for product code.”
The exposed repositories contained some internal credentials and alert-related data for a subset of Rapid7’s MDR customers. The company added that no other corporate systems or production environments were accessed, and the hackers did not make any unauthorized changes to its code repositories.
Consequently, Rapid7 asserted that the hackers did not compromise the Insight platform or other products. Neither did they gain access to any stored customer data or in transit.
“Through our investigation, we have found no evidence of access of our Insight platform or products, nor access to any customer data sent through or stored in either,” Rapid7 disclosure stated.
The company also notified the affected customers and advised them to take appropriate steps to mitigate the risks associated with the supply chain attack.
Fallout from the Codecov supply chain attack
Approximately 29,000 companies use Codecov’s development tools according to the company’s statement, including GoDaddy, Proctor & Gamble, Lululemon, RBC, Mozilla, Elastic, and others.
According to federal investigators, the hackers compromised hundreds of networks following the supply chain attack. Most cybersecurity experts also compared the Codecov security incident to the SolarWinds supply chain attack.
Codecov’s supply chain attack exposed companies’ environment variables, including credentials, tokens, or API keys. The hackers exploited a flawed Docker image creation process to replace Codecov’s IP address with theirs. This exploit allowed them to post users’ information to their servers.
Codecov customers were advised to apply various mitigations, including rotating keys and tokens. Additionally, they should scan their continuous development and integration environments for potential compromise originating from the supply chain attack.
Despite a large number of potential victims, only three companies have so far publicly acknowledged related compromises. The compromise of a company’s source code carries enormous reputational damage. Consequently, some organizations opt to remain secretive.
HashiCorp was the first major company to publicly announce a data breach associated with the Codecov supply chain attack followed by Twilio.
The company said that private keys for its products were exposed in the breach. Similarly, Twilio disclosed that Codecov’s security incident exposed a small number of its customers’ email addresses.
Defending against software supply chain attacks
“This hack of Codecov shows us that the Supply Chain hack that affected SolarWinds and their customers is not a fluke,” says Garret Grajek, CEO, YouAttest. “Until we have a system that can validate all software before it’s installed, we have to ensure that we follow best practices in the enterprise.”
He noted that some behaviors such as lateral movement, privilege escalation, and communication with command-and-control servers were consistent with most malware. He recommended applying various mitigations to defeat the malicious behaviors.
“Zero Trust principles are recommended for an architecture to mitigate lateral movement and communication to malicious C2s. Privilege escalation must be addressed by a virtually fanatical approach to detection in accounts – this should include both ongoing and triggered access reviews on privilege accounts and groups.”