A few hours ago, Codecov started notifying the maintainers of the software repositories affected by the recent attack on the supply chain.
These notifications, delivered both via email and via the Codecov application interface, state that the company believes that the affected repositories were downloaded by threat agents.
The original security advisory published by Codecov lacked indicators of compromise (IOC) due to a pending investigation.
However, Codecov has now disclosed multiple IP addresses as IOCs that were used by threat actors to collect sensitive information (environment variables) from affected customers.
Codecov provides software auditing and code coverage services for projects, along with the ability to generate test reports and statistics.
Codecov alerts customers affected by an attack on the supply chain
As previously reported by Bleeping Computer, on April 15, Codecov had disclosed a supply chain attack against its Bash Uploader that went undetected for two months.
Codecov Bash Uploader scripts are used by thousands of Codecov clients in their software projects. But these were altered by threat actors to filter environment variables collected from a client’s CI / CD environment to the attacker’s server.
Environment variables can often contain sensitive information, such as API keys, tokens, and credentials.
A few hours ago, affected customers started receiving email notifications asking them to log into their Codecov account to see more details:
The repositories listed in a Codecov user’s account that were affected by the incident now display a security warning.
Specifically, this warning indicates that the company believes that the repository was downloaded by threat actors.
However, several users who received these notifications were dissatisfied and called them “lazy” or could not log into their Codecov account to see more details:
I love getting this kind of vague but disturbing notification at 11:30 at night. Thanks Codecov! pic.twitter.com/lw6BJU4OXL
– James Hannett (@JimmehAH) April 29, 2021
I received an email from @codecov saying that I can “see details within the Codecov app” about the recent bash hack, but I don’t see such details. Only 500 and 502
– Thomas Grainger (@graingert) April 29, 2021
– Pete Kruskall (@PeteKruskall) April 29, 2021
“You know @codecov, following a link for ‘more info’ about a security breach that requires me to log in and leave me … here … is completely confusing and decidedly useless.” set developer Phil Howard.
Codecov publishes multiple IOCs of the attack
Although at the time of the initial disclosure of the incident, Codecov had not released any Indicators of Compromise (IOC) due to an ongoing investigation, BleepingComputer had identified at least one of the IP addresses that the attackers had used:
Codecov has now disclosed additional IOCs associated with this supply chain attack as the investigation progressed:
“We recently obtained a redacted, non-exhaustive set of environmental variables that we have evidence of were compromised.”
“We also have evidence on how these compromised variables may have been used. Log into Codecov as soon as possible to see if you are in this affected population,” Codecov said in his updated notice of security incidents.
Known IPs in scope:
The source IP addresses used to modify the bash script itself:
The destination IP addresses to which the data was transmitted from the compromised Bash Uploader.
These IPs were used in the curly appeal line 525 from the committed script:
Other IP addresses identified in Codecov’s investigation, likely related to the threat actor and associated accounts:
- 91,194,227. *
Other IPs that may be related to this incident (not confirmed by Codecov):
- 5.189.73. *
Codecov’s supply chain attack has drawn comparisons to the SolarWinds breach, as attackers target a developer / IT automation tool to simultaneously impact thousands of customers.
As such, US federal investigators were quick to step in and investigate the Codecov security incident.
According to a researcher, Codecov hackers had breached hundreds of customer networks after collecting confidential credentials from the altered Bash Uploader script.
In the days following the incident, as first reported by BleepingComputer, Codecov’s client HashiCorp revealed that its GPG private key used to sign and verify software versions had been exposed as part of this attack.
Given the disclosure of these COIs, and now that Codecov has begun notifying affected parties individually, more safety disclosure notices are expected to appear in the coming weeks.