U.S. federal investigators are investigating a breach of software auditing company Codecov LLC that could potentially have an impact as broad as the now infamous SolarWinds hack.
Founded in 2014, Codecov is an online platform that provides hosted testing reports and statistics for users. Compatible with GitHub, Bitbucket and Gitlab, the company works with 29,000 corporate customers.
In a statement April 15, the company said the hack occurred Jan. 31 but was only detected April 1. The hacker is described as gaining access because of an error in Codedev’s Docker image creation process that allowed the extraction of the credential required to modify the company’s Bash Uploader scrip.
In a typical “We’ve been hacked” response, the company added that “immediately upon becoming aware of the issue, Codecov secured and remediated the affected script and began investigating any potential impact on users. A third-party forensic firm has been engaged to assist us in this analysis. We have reported this matter to law enforcement and are fully cooperating with their investigation.”
Codecov includes among its customers Procter & Gamble Co., GoDaddy Inc. and Atlassian Corp. PLC. Reuters reported that Atlassian has said it has not found evidence that it has been compromised.
“The parallels between this breach and what we saw with last year’s SolarWinds attack are obvious, and they both point to a worrying trend in cybersecurity,” Quinn Wilton, senior researcher at electronic design automation firm Synopsys Inc., told SiliconANGLE. “In both cases, we’re seeing attackers leverage weaknesses in supply chain security and this dynamic means what while it is the vendor that is being initially breached, the impact of that breach is felt by that vendor’s customers.”
This is a powerful position for attackers to be in, enabling them to pick and choose from a wide number of targets while offering plenty of opportunities to exploit a customer’s trust in their vendors to evade detection, Wilton explained.
Attacks like this aren’t new, but with software being more interconnected than ever, she added, there will be more of these sorts of breaches. “This means that code signing is more important than ever and that transparency around the storage and disposal of those code signing keys is going to be a vital step toward building trust in the channels we all use to distribute software,” Wilton said.
From: Silicon Angle