Monday, December 18, 2023

This is really sad news


In the immediate aftermath of the SolarWinds attacks being announced in December 2020, I wrote a post based on a New York Times article I’d just read (although the day I wrote the post, January 6, 2021, turned out to be in the news for another reason). The article intimated that V. Putin & Co. had pulled off another audacious supply chain attack; it was supposedly achieved by compromising a software development product called TeamCity, that is sold by the company JetBrains. That company was founded by three Russian software developers in Prague; however, it still has operations in Russia.

In my post, I unfortunately stated that it was possible that the SolarWinds attack had been perpetrated by the Russians, working through a compromised copy of JetBrains in use by SolarWinds (which is a user of JetBrains, along with many other software developers such as Siemens, Google, Hewlett-Packard and Citibank). That hadn’t been explicitly stated in the NYT article, and I was remiss for not reading it carefully enough.

Two weeks later (and a few days after I’d put up another post that made the same suggestion), I received a politely worded email from a person in Moscow who represents JetBrains. They pointed out that there was no evidence that TeamCity had been the launch point for the SolarWinds attack and asked that I apologize. Of course, I apologized in my post.

However, yesterday, almost three years after that exchange, I was very disappointed to learn that what I mistakenly stated three years ago has now come to pass: JetBrains instances have been compromised recently, most likely to launch supply chain attacks on customers of JetBrains’ software developer customers (which would presumably follow something like the model of the SolarWinds attacks). The Russian Foreign Intelligence Service (SVR) is now exploiting a critical vulnerability that JetBrains has issued a patch for, which – of course – hasn’t been universally applied. More than 100 devices running JetBrains have been compromised, although so far the attackers haven’t launched any supply chain attacks. And just for good measure, it seems the North Koreans are attacking the same vulnerability.

In neither of these two incidents did JetBrains do anything wrong, other than perhaps the fact that the founders of the company didn’t carefully choose the country they would be born in. Let that be a lesson to us all!

Quite sad.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

I lead the OWASP SBOM Forum. If you would like to join or contribute to our group, please go here, or email me with any questions.

 

No comments:

Post a Comment