The Effects of the Codecov Supply Chain Attack Begin to Unravel

• Fears about the Codecov incident being very serious are quickly getting confirmed.
• IBM and Hewlett Packard Enterprise are already investigating with the help of the FBI.
• The NSA and CISA could soon join the investigation and mitigation efforts, as the potential victims are tens of thousands.

A couple of days back, Codecov published news about a catastrophic supply chain attack that went undiscovered for at least 2.5 months, potentially affecting hundreds of high-profile customers who are using Codecov’s software products. Some saw this as the “next Sunburst,” and rightfully so, and the IT teams of the possibly affected firms immediately launched their investigations. The first reports that come in the aftermath of this are painting a dire picture, as the hackers behind the attack seem to have managed to breach hundreds of restricted customer sites, gaining access to corporate networks.

Today’s Reuters report mentions a large firm in San Francisco that has already confirmed total breach through Codecov’s tool, with the breach affecting hundreds of networks and also customer data. Reportedly, the actors used automated scripts to exfiltrate credentials used for various internal software accounts. Many of the breached entities make software products used by others in the industry, so this could be a supply chain into a supply chain.

IBM, one of the users of Codecov’s products, has stated that they are investigating the incident and have thus far found no modifications of code involving the firm’s internal operations or its clients. Hewlett Packard Enterprise (HPE), also a client of Codecov, has made a similar announcement and promised to inform its clients if they find out that they have been impacted. The FBI is also actively engaged in the investigations and responds to multiple calls for assistance in order to create a rough illustration of the scale of the compromise.

Obviously, this effort is substantial as we’re talking about 19,000 clients, many of whom open up even wider individual chains of influence downstream. For now, neither the FBI nor CISA (Cybersecurity & Infrastructure Security Agency) has issued any announcements or advisories, while Codecov hasn’t updated its initial disclosure either. Now that the SolarWinds and Microsoft Exchange cyber-investigators have been disbanded, the freed manpower may be allocated to the Codecov incident.

Once more, if you were using the Bash Uploader product, which is what the hackers managed to lace, you are advised to re-roll all credentials, tokens, and keys and perform the recommended checks detailed on the vendor’s advisory.