An extremely worrying new data breach has been reported at a San Francisco-based software auditing company that the general public has likely never heard of before, which probably explains why it feels like this particular breach has slipped under the radar a bit.
Nevertheless, in spite of the lack of general awareness, federal investigators probing the intrusion at this particular company, Codecov, are looking into how hackers were able to tamper with the software used by its 29,000 customers — which also raises the ominous prospect that related, secondary breaches at other companies could result from this incident. That’s because Codecov’s software is used to help companies test their own software code for errors and potential vulnerabilities that hackers could exploit, which is why maliciously tampering with Codecov’s software could conceivably leave all sorts of holes and vulnerabilities in companies that rely on its software.
As if all that wasn’t worrying enough, the breach or intrusion of Codecov’s software happened in January, but Codecov itself didn’t learn about this until April, meaning hackers presumably had an obscene amount of time to unleash their mischief. “On Thursday, April 1, 2021,” reads a statement on the Codecov website, “we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.”
It was actually a customer who noticed something was amiss with Codecov’s tool and who alerted the company. “Immediately upon becoming aware of the issue, Codecov secured and remediated the potentially affected script and began investigating the extent to which users may have been impacted,” the statement on the company’s website continues.
I am bit surprised about the low response to the #Codecov hack – do I miss something or do you?
Article by @campuscodihttps://t.co/RNM9uIROgu
Affected projects @_fel1xhttps://t.co/7oQ7wGE8af
My IOC & YARA rulehttps://t.co/WIouOqSWcC pic.twitter.com/innpjjtjmU
— Florian Roth (@cyb3rops) April 17, 2021
This is, of course, simply the latest in what’s already been a busy year for data breaches and hacks that we’ve been reporting on for the last few months (including examples like this one). In a summary of the Codecov incident from Reuters, though, it notes that there’s the potential here for this attack to have a similarly wide-ranging impact as the SolarWinds hack from late last year.
Unlike the tampering with a software tool that was evident here, the SolarWinds hack took advantage of popular network monitoring software and disguised itself inside a routine-looking software update. As we noted previously, the hackers behind the SolarWinds hack are believed to be associated with Russian intelligence services, and they targeted thousands of organizations, including several US government agencies and dozens of Fortune 500 companies. Their malware disguised itself as a legitimate update from SolarWinds and, in turn, allowed hackers to snoop on network traffic while flying completely under the radar.