Codecov Supply Chain Attack May Hit Thousands: Report
Experts have urged organizations to reassess cyber-risk in their supply chains as it emerged that hundreds of customers of a software auditing company had their networks accessed illegally.
Originally thought only to have affected the supplier, San Francisco-based Codecov, the incident is now believed to have been a deliberate supply chain attack likened in sophistication to the SolarWinds operation.
Investigators told Reuters that the attack had already led to hundreds of customers’ networks being accessed. Codecov’s customer-base of around 29,000 includes many big tech brands such as IBM, Google, GoDaddy and HP, as well as publishers (The Washington Post), consumer goods firms (Procter & Gamble) and many more.
The firm delivers tools enabling developers to gain visibility into how much source code executes during testing (code coverage), to help them produce more reliable and secure products.
However, an error in one of the firm’s Docker images allowed a threat actor to steal credentials and modify a critical Bash Uploader script used by customers.
Although the incident was discovered on April 1, Codecov said that “periodic, unauthorized alterations of our Bash Uploader script by a third party” had been occurring from January 31 onwards.
The firm said this gave attackers access to any credentials tokens or keys stored in customers’ continuous integration (CI) environments, and in turn any services, datastores and app code accessed via these credentials.
An investigator told Reuters that, by targeting tech companies, attackers could have used this technique to access thousands of restricted networks.
Calvin Gan, senior manager at F-Secure’s Tactical Defense Unit, urged organizations to treat third-party vendors like Codecov as part of their organization when performing security audits, and to do these audits regularly — ensuring all configurations are verified.
“Always understand and weigh the risk involved when using any third-party service such as Codecov. While the service offered is a valuable one, it is also good to review or limit what is being sent over to these services, especially if it contains credentials or sensitive information,” he added.
“This is not easy, especially if the service is a trusted one by the company. But weighing the risk involved and having a backup/response plan early enough would come in handy when breaches such as this are discovered.”
Stuart Reed, UK Director at Orange Cyberdefense, argued that the security industry should focus less on the details and more on understanding the bigger picture.
“We need to recognize that the security landscape is deeply fluid and dynamic, reshaping itself rapidly and continuously, and position ourselves to perceive and respond to it appropriately. We should not be distracted by the identity of the attacker, or the speculation about state-backed adversaries,” he said.
“Ransomware attacks, botnets, crypto-miners and the like, all follow the same ‘opportunistic’ philosophy in which no target is too small or insignificant. This is why it’s crucial for a new way of thinking, moving away from naïve rules-based security practices towards an agile, intelligence-based approach.”