© Copyright Nostre Net
The threat group behind the attack is highly sophisticated, and it has been determined from analysing the TTPs (Tactics, Techniques and Procedures) that the attack involved infecting the Codecov’s CI/CD pipeline, gaining access to thousands of customer networks in the process, in a bid to steal user credentials and export customer data in user continuous integration environments.
Codecov state that, with the infected credentials, ‘services, datastores, and application code could be accessed’.‘Supply chain, phishing, and ransomware attacks reflect a broader trend that cyber criminals want to exploit multiple organisations through a single point-of-attack.’ – Eva Velasquez, CEO Identity Theft Resource Center (ITRC)
The attack was made public knowledge in April, but it is said that reports of interference had been made as early as the 31st of January, three months prior.
Rapid7 have reported that the Bash uploader was used on a CI server that the company applied to text and build tooling internally for their Managed Detection and Response (MDR) capabilities, and infiltrated source code repositories for MDR, internal credentials. They report that the breached source code subset was used for internal tooling.
Rapid7 were notified of the breach via an email from Codecov app. Since then, Rapid7 report that these repositories have now been rotated and the customers have been alerted about the data breach and that the attackers may have downloaded source code repositories.
More info: it engineering
The Wall