An unknown number of Rapid 7 customers and Rapid7 itself have become the latest victims of security incidents affecting trusted third-party software supply chain partners.
On Friday, Rapid7 revealed that the attacker had accessed some of its source code repositories through Codecov’s third-party Bash Uploader, and the security vendor was using the file in its development environment.
The attacker has previously compromised the uploader and modified it. Therefore, in addition to Codecov’s own system, code and related data from Rapid7 and other Codecov client environments can also be uploaded to a server controlled by the attacker.
Many companies use Codecov’s software to verify how efficiently they test the security and other issues of the software under development. Codecov’s Bash Uploader script is used to upload certain data (including credentials, tokens or keys) from the customer’s CI environment to its own server.
In January 2021, the attacker gained access to Bash Uploader by exploiting an error in the Codecov Docker image creation process. According to Codecov, the configuration error allowed an attacker to extract credentials to modify the Bash Uploader script. It was not until April 2021, four months later, that Codecov discovered the modification.
During this period, the attacker used the modified Bash Uploader to access the data and export it from the Codecov Customer Continuous Integration (CI) environment to a remote server. Codecov describes the compromised Bash Uploader as enabling an attacker to extract a range of information from the CI environment, including credentials and any services, data storage, and application code associated with those credentials.
Rapid7 said that when it learned of the incident at Codecov, it initiated an internal response process to understand the company’s possible impact. The investigation revealed that the attackers used the infected Bash Uploader to access “a small portion” of the source code associated with the company’s managed detection and response (MDR) service tool.
Rapid7 said on Friday: “These repositories contain some internal vouchers, which have been rotated, and also contain some alarm-related data for MDR customers.”
Rapid7 limits the use of Codecov’s Bash Uploader to a single CI server set up for its MDR service. As a result, the security vendor said that it did not access or modify any production environment or other company systems. Rapid7 said that a small number of (but undisclosed) Rapid7 customers who may be affected by the attack have been informed and informed of mitigation measures.
In recent months, Rapid7 and its customers are the latest in the ever-increasing list of victims of software supply chain incidents. The most famous example is still the one disclosed by SolarWinds in December last year, which affects approximately 18,000 organizations worldwide. In that incident, an actor from a nation-state visited the development environment of SolarWinds and implanted a backdoor program in the software, which was later sent out as an automatic update of the company’s Orion network management technology. In another incident, the attackers undermined Accellion’s obsolete file transfer technology and used it to steal data from multiple large organizations.
Concerns about such incidents seem to have prompted President Biden to make software supply chain security the main focus of his new executive order on cyber security issued last week.
Kevin Dunne, President of Pathlock, said: “Rapid7 is the latest product in a series of companies that have been severely affected by security supply chain-related attacks.” “Security vendors are usually high-value targets because their deep, trusted access to the network can Bad actors provide effective Trojan horses.”
Dunne said that although the impact on Rapid7 customers appears to be small, they need to remain vigilant. He advocated that they work closely with Rapid7’s incident response and support team to make the necessary updates. He added: “At the same time, they should monitor their networks, applications and activities on their devices to highlight any suspicious behavior brought about by the Rapid7 software and mitigate any potential threats.”
Setu Kulkarni, Whitehat Security’s vice president of strategy, said that based on current information, the impact on Rapid7 customers appears to be minimal. Even so, the company will first keep the MDR-related data in the code repository on the non-production server, which is very curious. “If so, did it pass the static data security control?” Kurkani asked. “Broadly, [the incident] It does highlight why customer-related data should not be stored in a code warehouse, and if there is one, dummy anonymous data should be used for testing. “
Jai Vijayan is an experienced technical journalist with more than 20 years of experience in the IT trade news field. He was recently a senior editor at Computerworld, responsible for information security and data privacy issues for the publication.In his 20-year journey…View the full bio