Rapid7, the popular cybersecurity company behind the Metasploit project, has become one of the victims of a cybersecurity incident involving Codecov. Codecov is a San Francisco-based company that gives “actionable coverage insights when and where they need them” to major players in Silicon Valley. The incident in question refers to Codecov suffering from an unauthorized attack modifying their Bash Uploader script. What resulted from this was access to various data stored in environment variables. Numerous entities have been affected by this attack, including Rapid7.
In a security notice to its clients, Rapid7 stated the following about how they are affected by, and responding to, the incident:
Our use of Codecov’s Bash Uploader script was limited: it was set up on a single CI server used to test and build some internal tooling for our Managed Detection and Response (MDR) service. We were not using Codecov on any CI server used for product code.
Like other Codecov customers, we have been actively investigating this incident in our environment, and after a thorough review and validation from a leading external cybersecurity forensics firm, we determined the following:
- A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7
- These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers
- No other corporate systems or production environments were accessed, and no unauthorized changes to these repositories were made
This Codecov incident has been a nightmare for many companies that rely on Bash Uploader. It shows, ultimately, how dangerous it can be if too many entities have their code in a centralized location. Additionally, it shows that cybersecurity companies like Rapid7 are no less at risk of breach than other companies, despite what one may assume. If anything, cybercriminals are more motivated to penetrate the defenses of people that make their living protecting others.
Featured image: Flickr / jasonwryan