Hello, welcome to the Monday, April 19th, 2021 edition of the Santernut Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

This weekend, the day went a little bit more into depth with decoding Cobalt strike traffic.

Remember, he talked about this in the past,

and one of the features here to remember with Cobalt Strike

is that the traffic is not encrypted if the attacker

uses the trial version of Cobalt Strike.

So that's sort of how you would get access to the data, but then of course

it's still encoded, so the DA walks you through some of the decoding of that traffic.

And I may have yet another significant breach that may affect your software supply chain. This time

it's CodeCove that's affected.

CodeCove makes software that checks code coverage during testing,

so it's often integrated in your CICD pipeline.

According to a statement on CodeCov's website,

the attacker was able to exploit a weakness in the Docker image creation process at CodeCuff that then gave the attacker access to a bash uploader script that's often used with CodeCuff and the attacker modified the script, essentially copying data to a third-party's

web server. So since this tool is often integrated in your development pipeline and essentially

conducts automatic tests and reports on them, any credentials that you used in your CICD pipeline may have been at risk.

A reasonable detailed statement by code curve that is linked to in the show notes does explain

what to look for, how to check whether or not the copy of this

batch uploader script that you're using is affected, and also how to fix the

problem if you're running into any affected bash uploader scripts. And

according to the statement, if you're self-hosting code curve, then you're less likely

...