In late April 2021, the popular software testing platform, Codecov recently had a significant breach as attackers were able to put a backdoor into Codecov to get access to customers’ sensitive data It affected an approximate number of its 29,000 customers, including prominent names like GoDaddy, Atlassian, The Washington Post, Procter & Gamble (P & G), and Australian software firm Atlassian Corporation PLC.
Security investigators have been paying close attention to the situation in order to assess the scale and type of the assault. In this blog, we will look at how far the inquiry has come and consider some of the incident’s possible consequences.
Codecov Breach Incident
On April 24th, a Codecov customer announced that the recent Codecov supply-chain assault exposed HashiCorp’s GPG signing key. (HashiCorp, an open-source software tools and vault manufacturer).
Although the Codecov platform discovered the breach on April 1st, 2021, the supply-chain attack appears to have occurred on or around January 31, 2021. It is considered that they were capable of looking into client data during this period, although there has been no proof that any customer data was exfiltrated or exploited.
Codecov provides code coverage as well as software testing tools. The goal is for users to be able to deploy “healthier” code within the DevOps cycle. Nevertheless, highly skilled attackers tamper with the Codecov Bash Uploader script by exploiting a weakness in the way Codecov built Docker images. This was utilized to modify a script that allowed them to communicate environment variables from Codecov clients’ CI to a remote server. While the attackers may have launched various assaults from there, we can tell from prior disclosures that one route they did follow was accessing private git repositories using the CI environment’s git credentials, then misusing secrets and data contained inside.
April Satter Reuters Investigation
As a result, federal government authorities in the United States have stepped in and are extensively probing the situation.
According to an IBM representative, there do not appear to be any “modifications of code involving clients” or the firm itself at this time.
Nevertheless, an Atlassian official responded to BleepingComputer-
“We are aware of the claims and we are investigating them.”
“At this moment, we have not found any evidence that we have been impacted nor have identified signs of a compromise,”
Reuters stated- “the attacker had gained full access to certain parts of computing infrastructure for more than three months and could potentially have exfiltrated large amounts of sensitive data or planted malicious code without detection”.
Reuters also stated that Codecov has discovered more potential entry points for attackers, which are currently being researched further by security teams at both Codecov and the third-party services with whom they communicate.
Spokesman of Adam BauerHewlett Packard Enterprise stated-
“HPE has a dedicated team of professionals investigating this matter, and customers should rest assured we will keep them informed of any impacts and necessary remedies as soon as we know more,”
The Effects of the Codecov breach on its customers
Several clients who rely on Codecov’s services for automated code reviews and testing before launching new software versions into production settings are concerned about the issue.
If you use Codecov, you may be affected in a variety of ways. Clients passing credentials, tokens, or keys through their CI runner performing the Bash Uploader script may be revealed. And Most Importantly Application code and databases connected to these credentials are unsafe. There are another chance that attackers may get access to the git remote information of repositories applying the Bash Uploaders to upload coverage to Codecov in CI. But customers that use the platform on-premises are not affected by the vulnerability since the CI is not affected.
According to Codecov, the problem has since been resolved, and affected customers were contacted on April 15 through email addresses on file. If users have not already done so, it is suggested that they roll their credentials.
It is difficult to eliminate the danger of a breach entirely. A new monitoring system is also being developed to prevent such “unintended changes” in the future. The Codecov assault was definitely carried out by competent attackers, and while they were able to exploit a mistake, it was not a simple hack.
Yet, this event serves as a warning to firms everywhere of the importance of continuously reviewing their security processes in order to avoid such situations in the future.