Cybersecurity firm Rapid7 Inc. has been the victim of a software supply chain breach after using software from auditing company Codecov LLC.

The breach involved the compromise of customer data and partial source code that was obtained by an attacker who accessed the Codecov Bash uploader script.

Codecov is an online platform that provides hosted testing reports and statistics for users. The hack of the company dates back to January but was first detected in April.  The hack of Codecov was described at the time as involving a hacker gaining access because of an error on Codevoc’s Docker image creation process that allowed the extraction of credentials required to modify the company’s Bash Uploader scrip.

In a blog post May 13, Rapid7 said that upon becoming aware of the Codecov breach it immediately kicked off a security incident response process. While noting that it only used the Codecov Bash Upload script on a single server used to test and build some internal tooling for its Managed Detection and Response service, Rapid7 did find that an unauthorized party accessed a small subset of its source code repositories for internal tooling for its MDR service. The repositories did contain some internal credentials, all of which have all been rotated with customers alerted.

Rapid7 added that it found no evidence of access to its Insight platform or products, nor access to any customer data sent through or stored in either.

“Rapid7 is the latest in a string of companies to be severely impacted by security supply chain-related attacks,” Kevin Dunne, president at unified access orchestration firm Pathlock, told SiliconANGLE. “Security vendors are often high value targets, as they have deep, trusted access to networks that can provide an effective trojan horse for bad actors.”

Although the impact to Rapid7 customers seems minimal at the moment, customers should stay on high alert, Dunne added. “Specifically, they will want to make sure they work closely with Rapid7’s support and incident response teams to make any necessary updates required to reduce their risk exposure,” he said. “In the meantime, they should monitor activity on their network, applications and devices to highlight any suspicious behavior coming from Rapid7’s software and mitigate any potential threats.”

John Bambenek, threat intelligence advisor at resolution intelligence company Netenrich Inc., noted that every MDR firm has its own custom tooling to help make their teams more effective and efficient.

“To the extent those tools have customer information, it should be limited and would likely relate to internal network information and applications a customer may have,” Bambenek explained. “For any of those customers, make sure they heed the information given to them by Rapid7 and have increased vigilance around those systems that may have had sensitive information disclosed via this breach.”

Image: Rapid7