Codecov state that, with the infected credentials, ‘services, datastores, and application code could be accessed’.‘Supply chain, phishing, and ransomware attacks reflect a broader trend that cyber criminals want to exploit multiple organisations through a single point-of-attack.’ – Eva Velasquez, CEO Identity Theft Resource Center (ITRC)
The attack was made public knowledge in April, but it is said that reports of interference had been made as early as the 31st of January, three months prior.
Rapid7 have reported that the Bash uploader was used on a CI server that the company applied to text and build tooling internally for their Managed Detection and Response (MDR) capabilities, and infiltrated source code repositories for MDR, internal credentials. They report that the breached source code subset was used for internal tooling.
Rapid7 were notified of the breach via an email from Codecov app. Since then, Rapid7 report that these repositories have now been rotated and the customers have been alerted about the data breach and that the attackers may have downloaded source code repositories.
Codecov has responded by removing the unauthorised bad actor from their systems, and is introducing tools to prevent another attack, specifically another supply chain attack, from effecting their business and the business of related users.
As of this morning (18th of May 2021), more companies have come forward publicly after realising that they have been impacted. Monday.com are among the list and recognise the implications to their system. ‘Although the Codecov attack went undetected for two months, the full extent of the attack continues to unfold even after its discovery.’
More info: noc engineer
