Myst -

Codecov supply chain attack has echoes of SolarWinds

Supply chain attack on code auditing service may have compromised the likes of HPE and IBM

Some of the largest technology companies in the world are investigating possible compromises of their systems as the impact of a SolarWinds-style cyber attack on Codecov, a supplier of code management and audit solutions, continues to spread.

The attack, which was first discovered on 1 April and formally disclosed by Codecov on 15 April, saw a malicious actor obtain unauthorised access to its Bash uploader script and modify it, after finding a way to extract the needed credentials by taking advantage of an error in Codecov’s Docker image creation process.

To date, Codecov says that it has detected periodic alterations of the Bash uploader script going back as far as 31 January, which ultimately could have allowed whoever was behind the attack to export information stored in its users’ continuous integration (CI) environments. The affected users have all been notified.

Among Codecov’s larger customers, both HPE and IBM confirmed to Reuters that they were now probing their own systems for signs of intrusion, with an IBM spokesperson saying that the firm had so far found no evidence of any problems. Other large Codecov customers include Atlassian, GoDaddy, Procter and Gamble, and the Washington Post.

A spokesperson for Atlassian said: “We are aware of the claims and we are investigating them. At this moment, we have not found any evidence that we have been impacted nor have identified signs of a compromise.”

The attack has also drawn the attention of the US authorities, and is now the subject of a live investigation by the FBI’s San Francisco office, as multiple cyber experts draw parallels with the December 2020 SolarWinds attack, which resulted from unauthorised modification of the firm’s Orion platform by the Russia-backed Cosy Bear group, and saw multiple government bodies targeted. The impact of the SolarWinds incident continues to be felt.

Stuart Reed, UK director at Orange Cyberdefense, said: “The Codecov breach, much like the Solarwinds incident, did not come out of the blue and should not be regarded as an isolated incident. These types of breaches are the inevitable consequence of a powerful set of systemic factors that collectively produce a climate that is inherently volatile but can still be predicted.

“This volatile context currently strongly favours the attacker over the defender [and] that is not going to change unless the systemic drivers that create it are dealt with. In this case that means confronting and addressing some factors, including massive investment by governments into computer hacking capabilities, and accepting others like the strong ties of interdependence that lie at the heart of cyber space, the business ecosystem and society in general,” he said.

Read more about supply chain attacks

Calvin Gan, senior manager at F-Secure’s Tactical Defense Unit, said that taken alongside the SolarWinds breach, the Codecov incident reinforced his view that supply chain attacks will grow in frequency as more and more organisations move towards reliance on third party software vendors for certain functions.

“A good reminder is for all organisations to treat third party vendors or providers as part of their organisation when performing security audits. The key here is to have periodic reviews and be ready to make adjustments accordingly when anomalies are found,” said Gan.

“This incident is also a timely reminder for organisations to ensure all configurations are proper and verified, especially when deploying anything over cloud applications or when making them publicly accessible. This is to prevent unintentional leaks or exposing of sensitive information.”

Gan added that it was important to understand and weigh risk involved when using third party services such as Codecov. Even though the service it provides is valuable, users should review or limit what is sent over to it, especially if that contains credentials or otherwise sensitive data.

“This is not easy, especially if the service is a trusted one by the company. But weighing the risk involved and having a backup and response plan early enough would come in handy when breaches such as this are discovered,” he said.

Next Steps

SentinelOne: More supply chain attacks are coming

Read more on Data breach incident management and recovery

Data Center
Data Management