Notes from the Field • 3 Mins READ

Cyber Security Company, Rapid7, Hit by Supply Chain Attack

by Eleanor Barlow • May 2021

Codecov, a San Francisco based company in the technology industry was recently made victim of a vast cyber security attack, likened to the SolarWinds attack, that has had a forceful and devastating effect, impacting users around the globe, including cyber security company Rapid7.

‘Supply chain attacks rose by 42% in the first quarter of 2021 in the US’– Chartered Institute of procurement and supply (CIPS)

The company Codecov is known for providing testing tools and code coverage, and reports that their Bash uploader script was manipulated, which effected their tools, including their CircleCi Orb, GitHub, and Codecov Bitrise. Which makes a supply chain attack of this size significant, not just to their business, but to the business of every company employing Codecov or associated technologies. The attackers responsible exploited Codecov software but used the organisation as a platform to compromise customer networks.

Codecov report via their security update post that  ‘Our investigation has determined that there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.’

The threat group behind the attack is highly sophisticated, and it has been determined from analysing the TTPs (Tactics, Techniques and Procedures) that the attack involved infecting the Codecov’s CI/CD pipeline, gaining access to thousands of customer networks in the process, in a bid to steal user credentials and export customer data in user continuous integration environments.

Codecov state that, with the infected credentials, ‘services, datastores, and application code could be accessed’.

Supply chain, phishing, and ransomware attacks reflect a broader trend that cyber criminals want to exploit multiple organisations through a single point-of-attack.’ – Eva Velasquez, CEO Identity Theft Resource Center (ITRC)

The attack was made public knowledge in April, but it is said that reports of interference had been made as early as the 31st of January, three months prior.

How Has this Impacted Rapid7?

Rapid7 have reported that the Bash uploader was used on a CI server that the company applied to text and build tooling internally for their Managed Detection and Response (MDR) capabilities, and infiltrated source code repositories for MDR, internal credentials. They report that the breached source code subset was used for internal tooling.

Rapid7 were notified of the breach via an email from Codecov app. Since then, Rapid7 report that these repositories have now been rotated and the customers have been alerted about the data breach and that the attackers may have downloaded source code repositories.

Codecov has responded by removing the unauthorised bad actor from their systems, and is introducing tools to prevent another attack, specifically another supply chain attack, from effecting their business and the business of related users.

As of this morning (18th of May 2021), more companies have come forward publicly after realising that they have been impacted. Monday.com are among the list and recognise the implications to their system. ‘Although the Codecov attack went undetected for two months, the full extent of the attack continues to unfold even after its discovery.’

How to Mitigate Against a Supply Chain Attack

For businesses to mitigate and prepare against a supply chain attack, Chris Cheyne, CTO, SecurityHQ, argues that ‘When established organisations use open-source code to deliver solutions and services they put their customers at risk. This has been proven multiple times through 2021 already. And while supply chain threats are already high, and threat groups become more sophisticated, the situation is amplified when organisations have a lack of control on their code.’   

If you are concerned about the impact of this breach, think you have been breached, or want to learn more about Managed Detection and Response and other key cyber security services, contact one of SecurityHQ’s experts here.