Codecov Hackers Accessed Monday.com Source CodeCustomers Apparently Not Affected, Monday.com Says
Monday.com, which sells an online workflow management platform, reports that the Codecov supply chain attackers gained access to its source code.
Codecov, a company that tests software code prior to release, has notified customers that attackers had access to its network for a month and placed malware in one of its systems, which may have led to the exfiltration of customers' information.
Monday.com's online workflow management platform is used by Unilever, Uber, BBC Studios, Universal, Adobe, Coca-Cola and L'Oreal, according to the company’s website.
Source Code Accessed
"While our investigation is ongoing, based on our findings to date, we have not seen any indication that customer data processed by monday.com was affected by this incident or accessed by the attacker," Monday.com said in a statement.
The company acknowledged, however, that the attackers accessed a file containing a list of certain URLs pointing to publicly broadcast customer forms/views hosted on monday.com, and it has notified affected customers about how to regenerate these URLs.
Monday.com said it hasn't found any evidence of unauthorized modifications to its source code or any impact on its products as a result of the intrusion.
The Monday.com attackers gained access to source code in a read-only format, so they won't be able to introduce any malicious code, says Matthew Gribben, former cybersecurity and cryptographics consultant at the U.K.'s Government Communications Headquarters. He's now CTO of online retailer Farmison & Co.
But Gribben told Information Security Media Group that the attackers could analyze that code for further vulnerabilities. And now that the code is likely out in the wild, it will likely end up being sold on the dark web, he said, adding, “Source code has a habit of holding all sorts of secrets that you wouldn't want in the public domain."
Upon learning of the issue, Monday.com took immediate mitigation steps, including revoking Codecov access, discontinuing use of Codecov’s service, rotating keys for all of Monday.com’s production and development environments and retaining cybersecurity forensic experts to assist with its investigation.
The company states that Codecov provided specific information and indicators that enabled it to deepen its investigation.
"Monday.com now really needs to be on the ball when it comes to monitoring its own systems and infrastructure for any signs of attempted attacks off the back of this disclosure and hopefully carrying out post-compromise best practice like rotation of any integration keys with other third-party systems," Gribben notes.
Codecov advises customers to check which keys and tokens in their continuous integration environment are in danger of being compromised by running the "env" command in their continuous integration pipeline. If this action returns anything private or sensitive, the credential should be invalidated and replaced.