CodeCov supply-chain compromise likened to SolarWinds attack

CodeCov, a company that creates software auditing tools for developers, was recently breached (the company says it was breached on April 1, and reported it on the April 15). According to investigators, this incident, in turn, gave attackers access to an unknown number of CodeCov’s clients’ networks.

One cannot help but think that this knock-on breach effect is a supply-chain attack, similar to what happened to SolarWinds and their clients.

As you may recall, in the SolarWinds attack multiple companies reported being breached by state-sponsored adversaries, following an attack on the IT company SolarWinds that resulted in undetected modifications to its products. Those affected included FireEye, which resulted in the theft of their Red Team assessment tools; Microsoft; and departments in the US Treasury and Commerce.

Like SolarWinds, this seems like another attempt to add malicious code to products supplied to other organizations, so as to compromise those organizations, and potentially the software products they supply too.

CodeCov said that its Bash Uploader script, used by clients to find and upload code coverage reports to CodeCov, had been initially tampered with at the end of January this year. This wouldn’t have been found out if a client hadn’t raised concerns on April 1. According to the company, attackers were able to gain access to and alter the script by exploiting an error in CodeCov’s Docker image creation process.

A security update post by CodeCov states:

Our investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure,”

Because the script is allowed to search through users’ code it potentially has access to any credentials stored with that code. This could have given the attackers access to systems inside CodeCov’s clients’ networks, and in turn, the code that those companies are developing and supplying to others. And because it is expected to upload data outside of the clients’ networks, the upload script also offered an easy exfiltration route for the stolen data.

According to Reuters, the CodeCov attackers rapidly copied and pasted credentials from compromised customers, via an automated script, and used an automated way of searching for other resources (it’s not clear if these are references to the bash upload script, which seems to fit that description, or some other tools). “The hackers put extra effort into using CodeCov to get inside other makers of software development programs, as well as companies that themselves provide many customers with technology services, including IBM,” Reuters also revealed in an interview with one of the investigators.

Reuters reports that IBM, Atlassian, and other clients of CodeCov have claimed that their code has not been altered, while not address issues on credentials. Hewlett Packard Enterprise, another CodeCov client, has yet to determine if they or any of their clients have been affected by this breach according to the news service.

CodeCov says the modified Bash Uploader could affect:

– Any credentials, tokens, or keys that our customers were passing through their [Continuous Integration] runner that would be accessible when the Bash Uploader script was executed.

– Any services, data stores, and application code that could be accessed with these credentials, tokens, or keys.

– The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

CodeCov has a list of recommended actions to take. This includes “all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.” If you’re a CodeCov client, go here for more details. You will also find in there a list of actions they have taken in response to this breach.