The Code Testing Company CodeCov Suffers a Data Breach Which Went Undetected for Months


U.S. federal authorities are investigating a safety violation at Codecov, which works on selling a tool that allows developers to calculate their codebase coverage and works for more than 29,000 clients worldwide. The organization acknowledged the violation and reported that for months it remained unnoticed. 

The violation impacted an unaccompanied number of customers, including Atlassian, Proctor & Gamble, GoDaddy, and Washington Post. To be specific, attackers used a bug of the Docker image to access a Bash Uploader script to map development environments and report back to the company in the company production. In the wake of the discovery of the violation on April 1st, 2021, a follow-up investigation discovered that the threat actor had access to their system for months, at least since 31 January. Three additional bash uploaders were also affected by the vulnerability, including the Codecov CircleCI Orb, Codecov-actions for GitHub, and Codecov Bitrise Phase. 

Codecov website, CEO Jerrod Engelberg clarified in the security update that the cybercriminals gained unauthorized access, to the Bash Uploader scripts, while modifying and accessing the passwords, tokens, or keys stored in continuous customer integration environments, datastores, and application code that can be manipulated using these credentials, tokens, or keys. The information was then transferred to a non-Codecov third-party server. The possibility for downstream effects on Codecov users may be high, but the extent of harm will depend on several factors like the identification and motifs of the actor, the way that Codecov structures its network, and what protocols, configurations, and access policies every user is using for their code environment. 

Codecov is not a publicly traded firm, which employs a few dozen of candidates and measures its annual turnover in the smallest million dollars per year. On contrary, it employs just a few candidates; Despite the high profile of a few of their clients, they have not been particularly in attention since 2014 and this indicates that the threat actor must have done a good deal of research before choosing them as a target. 

The degree of segmentation of Codecov's network could also partly decide what information and data of customers the threat actors had been able to access. They are equally unable to pull open-source code from the internet directly and use it. “It seems like every time I hire a new developer, that’s the first thing they do with the code they write, so we have to put automated checks in there so the moment somebody tries to do that, they get caught and it stops,” said Zanni. 

As a standard practice, many have cited robust code signing policies. The infringement reflected the "huge ROI for attackers to attack the supply chain," and John Loucaides, Vice President of Research and Development at a vulnerability research firm, said that any alteration to the code must be vetted by other parties before approval. 

Bambenek says that although attackers have gone completely unnoticed for months, detecting and revealing a trivial change in the code in three months is amazing for a small company with limited resources like Codecov. He correlated it with SolarWinds, which skipped significant improvements in Orion's software construction platform, if not longer, by at least a year, both by itself and by a multitude of customers and federal agencies with higher budgets. 

“Codecov maintains a variety of information security policies, procedures, practices, and controls. We continually monitor our network and systems for unusual activity, but Codecov, like any other company, is not immune to this type of event,” Engelberg stated in the regard. “We regret any inconvenience this may cause and are committed to minimizing any potential impact on you, our users, and customers.”