Attackers compromised code-checking vendor’s tool for two months
In a software supply-chain attack reminiscent of the SolarWinds compromise, unknown attackers used a vulnerable tool published by code checking firm Codecov for a little over two months to collect sensitive development information from the company’s clients.
Codecov, which provides tools and services to check how well software tests are covering code under development, in a statement published on Friday warned that attackers had modified a command-line upload tools to also send sensitive information to the attackers. At-risk data includes credentials, software tokens, and keys—and the data and code that could be accessed with those secrets—as well as the remote repository information.
The firm recommended that clients use a script to create a list of credentials that could be accessed by its software and consider those credentials and secrets compromised.
“If anything returned from that command is considered private or sensitive we strongly recommend invalidating the credential and generating a new one,” Jerrod Engelberg, CEO of Codecov, said in a statement. “Additionally, we would recommend that you audit the use of these tokens in your system.”
Codecov first became aware of the breach on April 1, after a customer reported a discrepancy in the check sum used to verify the integrity and authenticity of the tool. The company began investigating and has brought in federal law enforcement, Codecov said in its statement. The attackers likely had access to the system since the end of January, according to the company’s investigation. While CodeCov did not specify how many clients were affected by the breach, its website states that more than 29,000 enterprises use its service.
A breach at a software supplier that could have impacted thousands of client firms puts the attack squarely on the level of the SolarWinds compromise, says Asaf Karas, co-founder and chief technology officer for Vdoo, an Internet-of-Things security platform.
To read the complete article, visit Dark Reading.