monday.com and several other organizations have recently suffered a cyberattack through Codecov, a popular code coverage tool. The attackers accessed a read-only version of the source code for the company’s self-named software, which is a project management tool for enterprises that also facilitates collaboration between team members. monday.com served 100,000 clients as of 2020, including both technical and non-technical organizations.
Attackers used a supply-chain attack, which generally involves infiltrating the target through a third party such as a partner or service provider. Defending against this type of attack is often challenging, but there are some steps that organizations can take to make it easier. Companies should start this process by identifying ways that partners can jeopardize their supply chain, even if it’s unintentional.
Attack
The attacks against monday.com began around January 31 2021, when the attackers obtained access to hundreds of Codecov’s users. The general strategy of the attacks is to interfere with the operation of Codecov’s suite of software development tools used by monday.com. Codecov announced the cyberattack on April 15, reporting that a modified Bash Uploader script was the basis of the attack. This script compromised the upload of data for Codecov tools that include Codecov Bitrise Step and Codecov CircleCl Orb as well as GitHub.
Attackers were thus able export information from the continuous integration (CI) environments for hundreds of users. monday.com confirmed that it was one of these users, which could compromise its development of software. The company disclosed this news to the Securities and Exchange Commission (SEC) as required, since it’s currently seeking a listing on U.S. stock exchanges.
Investigation
monday.com determined that hackers had obtained read-only access to their source during its initial discovery of the attack. The company claims that no evidence exists to show that attackers were able to modify the source code or otherwise affect any of monday.com’s products. However, it did report that attackers accessed file containing an inventory of URLs to monday.com’s web pages and views with public client information. The company has also informed affected customers and instructed them on the process for restoring those URLs.
Further investigation also failed to uncover any evidence that the customer information was leaked, according to monday.com. The company initially removed Codecov’s access to their environment and later discontinued the service completely.
Additional Codecov Attacks
The monday.com attack follows shortly after Rapid7’s disclosure that it was also a victim of the Codecov supply-chain attack. The cybersecurity enterprise found that an unauthorized party outside the company accessed a small portion of its source code repository for its Massive Data Repository (MDR) service. The software developer HashiCorp was also a target of the Codecov attack, which involved uploading modified versions of Bash Uploader to the company’s platform between January 31, 2021 and April 1, 2021. HashiCorp reports that it learned of the attack when it discovered a private code-signing key collecting developer credentials on its platform. The company is urging affected customers to recreate their CI data, including keys, records and tokens.
Source code Clef flickr photo by Christiaan Colen shared under a Creative Commons (BY-SA) license
