HashiCorp, a renowned company for the development of open toolkits such as Vagrant, Packer, Nomad and Terraform, released several days ago the news about a leak of the closed GPG key used to create the digital signature which checks the versions of your software.
In your post comment that the attackers who gained access to the GPG key which could potentially make hidden changes to HashiCorp products by certifying them with the correct digital signature. At the same time, the company said that during the audit no traces of attempts to make such modifications were found.
They mention that the moment they detected the compromised GPG key it was revoked and after that, a new key was introduced in its place.
The issue only affected verification using SHA256SUM and SHA256SUM.sig files and did not affect the generation of digital signatures for Linux DEB and RPM packages delivered through the "releases.hashicorp.com" website, as well as the release confirmation mechanisms for macOS and Windows (AuthentiCode).
On April 15, 2021, Codecov (a code hedging solution) publicly disclosed a security event during which an unauthorized party was able to make modifications to a Codecov component that Codecov customers download and run using the solution.
These modifications allowed the unauthorized party to potentially export the information stored in the continuous integration (CI) environments of Codecov users. Codecov revealed that the unauthorized access began on January 31, 2021 and was identified / remedied on April 1, 2021.
The leak occurred due to the use of the Codecov Bash Uploader script (codecov-bash) in the infrastructure, designed to download coverage reports from continuous integration systems. During the attack to the company Codecov an embedded backdoor was hidden in the specified script through which the sending of passwords and encryption keys to a malicious server was organized.
To hack into Codecov's infrastructure, lAttackers exploited a bug in the Docker image creation processWhich allowed them to extract the data to access the GCS (Google Cloud Storage) required to make changes to the Bash Uploader script distributed from the codecov.io website.
The changes were made on January 31, two months went unnoticed and allowed attackers to extract information stored in the customer's continuous integration systems environments. With the added malicious code, attackers could obtain information about the tested Git repository and all environment variables, including tokens, encryption keys, and passwords passed to continuous integration systems to provide access to application code. , repositories and services like Amazon Web. Services and GitHub.
HashiCorp was affected by a security incident with a third party (Codecov) that led to the possible disclosure of confidential information. As a result, the GPG key used for version signing and verification has been rotated. Customers who verify HashiCorp version signatures may need to update their process to use the new key.
While the investigation has revealed no evidence of unauthorized use of the exposed GPG key, it has been rotated to maintain a reliable signature mechanism.
In addition to direct invocation, the Codecov Bash Uploader script has been used as part of other downloaders such as Codecov-action (Github), Codecov-circleci-orb, and Codecov-bitrise-step, whose users are also affected by the problem.
Finally the recommendation is made to all users from codecov-bash and related products have their infrastructures audited and change passwords and encryption keys.
Also HashiCorp has released patch versions of Terraform and related tools that update the automatic verification code to use the new GPG key and provided a guide separate Terraform specific.
If you want to know more about it, you can check the details by going to the following link.