[HN Gopher] JetBrain's TeamCity May Be Entry Point for U.S. Hack
___________________________________________________________________
JetBrain's TeamCity May Be Entry Point for U.S. Hack
Author : ChefboyOG
Score : 98 points
Date : 2021-01-06 20:58 UTC (2 hours ago)
(HTM) web link (nytimes.com)
(TXT) w3m dump (nytimes.com)
| foepys wrote:
| > SolarWinds confirmed Wednesday that it used TeamCity software
| to assist with the development of its software and was
| investigating the software as part of its investigation. The
| company said it had yet to confirm a definitive link between
| JetBrains and the breach and compromise of its own software.
|
| This is a very big "may". Reads like they are simply basing these
| allegations on the Russian founders part.
| swyx wrote:
| it is unbelievable the irresponsibility of the NYT to not
| provide more substantive evidence before going to print with
| this "may be", particularly with this title. The reputational
| hit alone will cost Jetbrains millions including across
| unrelated products (which they encourage by fluffing out this
| piece with Jetbrains' customer list without regard as to
| whether or not they use TeamCity).
| Ericson2314 wrote:
| Serves Jetbrains right for being privately held and not an
| investment vehicle open to global capital. /s
| keraf wrote:
| Most people familiar with JetBrains (like software and system
| engineers) will likely read through the lines and simply
| ignore this article, given the good reputation of the
| company. The worrying part is that this type of article is
| destined for the less techy reader like the higher ups
| approving software purchases.
|
| The lack of evidence feels like they got fingers pointed at
| them just for being... Russian?
| twistedpair wrote:
| Doesn't SolarWinds have offices in Eastern Europe? Perhaps some
| Russians work in those offices? Jump to conclusions mat?
| quaffapint wrote:
| They probably already had access to the network and just used
| TeamCity since that was SolarWinds build process. Or someone
| really misconfigured things to allow external access.
| uncledave wrote:
| I suspect TC may have been leveraged but it doesn't mean it's
| responsible for every horrible misconfiguration that can occur.
|
| Case in point, I have used TC to gain AD administrative
| privileges before because the idiot who set it up ran a build
| agent as a domain admin so it could get access to a locked down
| signing cert. I just created a new build to add me to the right
| group and ran it on that agent.
|
| These things are really trivial to find and exploit. Also the
| build agents will obtain and run almost any untrusted software
| and leave it on disk quite happily for when a later build comes
| along.
| dr_faustus wrote:
| Sounds like SolarWinds hired a good PR agency with the goal to
| deflect blame and make it sound like a big conspiracy. JetBrains
| being a Czech/Russian company makes it the perfect scape goat. As
| was pointed out, "solarwinds123" hints at very bad security
| practices which makes some unpatched system or weak password the
| much likelier scenario. It might well be that the intruders then
| manipulated the SolarWinds TeamCity config. Would have done the
| same with Jenkins...
| sbelskie wrote:
| I'm worried this going to turn out to be an unsecured TC instance
| after the article makes it sound like the underlying software was
| compromised.
| jen20 wrote:
| Given "solarwinds123" this seems like a perfectly reasonable
| default assumption at this point.
| edoceo wrote:
| Oh, I thought you were joking but, no.
|
| https://www.extremetech.com/computing/318430-security-
| resear...
| jrs235 wrote:
| I heard reports that the mismatched file download/installer hash
| was known and never fixed for MONTHS, if true, points to
| incompetency at SolarWinds.
| gamesbrainiac wrote:
| Official Response from JB:
| https://blog.jetbrains.com/blog/2021/01/06/statement-on-the-...
| vngzs wrote:
| Reading between the lines, does this mean the attack may have
| simply been an on-prem install that was compromised, rather
| than every TeamCity install ever, or JetBrains' official SaaS
| version?
|
| Any developer tools company worth their salt should be
| dogfooding their own build system, so they likely build IDEs
| with this tool. In the worst case, IntelliJ/GoLand/etc could be
| compromised as a result. This would be unlikely to mean there's
| malicious source code floating around, but it could mean lots
| of privileged access to software companies' networks. If the
| attacks are as targeted as the NY Times article makes it out to
| be, discovering the full extent of the damage may take quite
| some time ...
| gamesbrainiac wrote:
| JetBrainer here. It was an on-premise instance of TeamCity.
| vngzs wrote:
| Thanks for the reply! With that CrowdStrike founder Dmitri
| Alperovitch quote in the article
|
| > Compromising and introducing a back door into a build
| environment such as TeamCity is the holy grail of a supply
| chain hack. It can allow an adversary to have thousands of
| SolarWinds-style back doors in all sorts of products in use
| by victims all over the world. This is a very big deal.
|
| it reads like this is much more widespread than I'm
| hearing. The NY Times has even gone back and edited the
| title, replacing "Russian" with "widely used." I hope the
| editors have another take at this before it gets
| republished on all the other news sites ...
| ArchOversight wrote:
| It is very likely that a CI/CD tool was improperly
| configured.
|
| As a former pen tester/red teamer, your favorite CI/CD tool
| is also my favorite way to gain access to a large footprint
| within the org.
| parhamn wrote:
| There were tweets by the author of this article suggesting more
| nefarious involvement here. Doesn't seem to be much
| substantiation though.
|
| [1]
| https://twitter.com/nicoleperlroth/status/134690958021993676...
| keyle wrote:
| God reading that garbage upsets me. "Cyberysecurity Reporter",
| not a very good one at that.
| MrRiddle wrote:
| Obscure software company?!
| swyx wrote:
| she is writing for a general audience, please lets not get
| upset about that one and focus on actual lack of evidence.
| MrRiddle wrote:
| She's setting up a scene for a play. Just from those couple
| line I'm writting whole thing off as same neocon Russian
| witch hunt we saw in recent years.
|
| Obscure company? Ain't that some bullshit.
| edoceo wrote:
| I'm with you on that, those words serve to diminish the
| work and reputation of JetBrains even before the ~average
| reader understand who they are and what they do.
|
| Like "some idiot, edoceo" seeds that I'm a fool vs "my
| CTO, edoceo" (of course the truth is in the middle)
| fnord123 wrote:
| Agree. But Jet Brains is arguably more of a household name
| than VMWare.
| swyx wrote:
| distinction without a difference as far as the new york
| times is concerned. i'm saying we as developers shouldnt
| make that our number 1 complaint (which it is, given
| responses to her twitter) instead of focusing on the
| irresponsibility of the NYT publishing a "may be" article
| with 1 line of speculation and 15 paragraphs of
| context/fluff and 0 lines of evidence or findings.
| ChefboyOG wrote:
| @mods - I changed the title from the original "Russian Software
| Company May Be Entry Point for U.S. Hack" to be more clear, as
| "Russian Software Company" felt vague and linkbait-y to me.
| Apologies if this violates the "No editorialized titles" policy.
| polka_haunts_us wrote:
| Is JetBrains even Russian? I thought they were Czech.
| avsbst wrote:
| The title and lede state they are "Russian-Owned" and a Czech
| company. Perhaps NYT edited title after publishing or
| original poster misread the title.
|
| _Russian-Owned Software Company May Be Entry Point for Huge
| U.S. Hacking_
|
| _Russian hackers may have piggybacked on a tool developed by
| JetBrains, which is based in the Czech Republic, to gain
| access to federal government and private sector systems in
| the United States._
| sam_lowry_ wrote:
| "Russian-owned" is still largely misleading. The company is
| owned by Russian speakers that lived and studied in Russia
| before starting JetBrains. Most (if not all) of them have
| two citizenships by now, one is Russian. The company is not
| owned by the Russian state and has never been.
| [deleted]
| amdolan wrote:
| Russian founders began the company in Prague and opened a
| Saint Petersburg office soon afterwards.
| sam_lowry_ wrote:
| Most of the software developers are in Saint-Petersburg,
| Russia. Russian founders opened a Czech company because
| being Russian, they could not easily reach world markets.
| MrRiddle wrote:
| Seems like business as usual, with old administration coming
| back, let the Russian witch hunt resume.
___________________________________________________________________
(page generated 2021-01-06 23:01 UTC)