US federal investigators are supposed to investigate a security breach at Codecov, a platform used to test software code with more than 29,000 customers worldwide, Reuters reported the Saturday. The company has confirmed the violation and said it had not been detected for months.
According to Reuters, the breach affected an unknown number of the company’s customers, which include Atlassian, Proctor & Gamble, GoDaddy and the Washington Post. A security update on the incident written by CEO Jerrod Engelberg published this week also did not specify the number of customers affected. Gizmodo contacted Codecov to confirm if there was a federal investigation into the incident, but the company said it had no further comments besides Engelberg’s statement on its website.
In the security update, Engelberg explained that the threat actor gained unauthorized access to the company’s Bash Uploader script and modified it, allowing them to potentially access everything credentials, tokens or keys stored with customers continuous integration environments as well as all services, databasesor application code accessible with those credentials, tokens or keys. The accessed data was then sent to a third party server outside of Codecov.
The company’s Bash Uploader is also used in three associated uploaders, Codecov-actions downloader for Github, Codecov CircleCl Orb and Codecov Bitrise Step. All of these things have also been affected.
Codecov said he fixed the vulnerability and that he was safe to use his systems and services. He was unable to determine who committed the violation.
“The actor was granted access due to an error in Codecov’s Docker imaging process that allowed the actor to extract the credentials needed to modify our Bash Uploader script,” Engelberg said. “Immediately upon learning of the problem, Codecov secured and corrected the affected script and began investigating any potential impact on users.”
The company added that it had hired a third-party forensic company to help analyze the impact on its users. He also said he had reported the incident to law enforcement authorities and cooperate with them.
After investigating the incident, the company determined that the threat actor made periodic changes.ations of its Bash Uploader script starting January 31 of this year. Codecov learned of the violation on April 1 when a customer detected and reported an anomaly on the Bash Uploader.
Codecov said it sent an email to affected users on April 15 to Github, Gitlab, and Bitbucket’s on-file email and also activated a notification banner for affected users after logging into Codecov. The company said customers who use a self-hosted version of Codecov are unlikely to be affected.
“We strongly recommend that affected users immediately relaunch any IDs, tokens or keys located in the environment variables of their CI processes that were using one of Codecov’s Bash Uploaders,” Engelberg said.
Reuters pointed out that the incident was compared to the huge SolarWinds hacking, to which the US government attributes Russian Foreign Intelligence Service, due to the possible effects on various organizations and because of the length of time the attack was undetected. Above all, the reach of Codecov breach is still not clear.
Codecov said it has taken a number of measures to ensure security, including rotating all relevant internal credentials, putting in place monitoring and auditing tools to ensure that threat actors cannot modify the Bash Uploader again and work with the third-party server hosting provider to ensure that it has been properly decommissioned, among other actions.
“Codecov maintains a variety of information security policies, procedures, practices and controls. We are constantly monitoring our network and systems for any unusual activity, but Codecov, like any other company, is not immune to this type of event, ”said Engelberg. “We regret any inconvenience this may cause and are committed to minimizing any potential impact on you, our users and our customers. “