back to article JetBrains TeamCity under attack by ransomware thugs after disclosure mess

Security researchers are increasingly seeing active exploit attempts using the latest vulnerabilities in JetBrains' TeamCity that in some cases are leading to ransomware deployment. Brody Nisbet, director of threat hunting operations at security shop CrowdStrike, xeeted on Tuesday that telemetry was already showing signs of …

  1. Doctor Syntax Silver badge

    "The situation has divided the cybersecurity community given that both parties have valid arguments for their respective policies."

    Reality seems to have decided the issue.

    1. Richard 12 Silver badge

      Well, no

      We don't have an alternative universe where JetBrains could quietly pretend nothing important was in the patch, apply it whenever - while miscreants (continue to) attack the holes thus silently disclosed.

      So we cannot compare whether this universe is better or worse.

      The security industry seems to have a pretty clear consensus that Jetbrains were wrong though. People don't update unless they are basically forced to (Microsoft/Apple approach), or the release notes indicates Really Bad Juju if you don't.

      So a quiet security patch is bad. Users will simply ignore it for a very long time, while miscreants will not.

      1. Herr Mann

        Re: Well, no

        >pretend nothing important was in the patch

        If proactively filing a CVE and emailing customers to motivate them to upgrade due to a security vulnerability or apply a patch when it became available is called "pretending nothing important was in the patch", then I definitely am in a different universe to yours.

        >apply it whenever

        TeamCity is an on-prem software, there is no way for JetBrains to "apply" any patch to force-update customers' software.

      2. yetanotheraoc Silver badge

        Re: Well, no

        The article: "The situation has divided the cybersecurity community"

        vs

        You: "The security industry seems to have a pretty clear consensus"

        Still, one could argue Rapid7 did JetBrains a big favour by making sure JetBrains' customers will be pissed off at Rapid7 instead of at JetBrains.

        1. Fred Daggy Silver badge
          Unhappy

          Re: Well, no, actually, yes

          Rapid 7 have basically done the equivalent of shouting "Fire, Fire" in a packed cinema causing panic. When the cinema (JetBeans) had their own procedure for evacuating the cinema.

          If I was an affected JetBeans customer, I'd be lawyering up to take on Rapid 7, for sure.

      3. Kapsalon

        Re: Well, no

        This is not about users, this is about companies that are customers of JetBrains. So JetBrains can contact them and advise to patch ASAP, explaining why. And then companies normally act. I have seen similar actions being taken by other vendors.

        I think Rapid7 wanted to get the credits for finding the vulnerabilities. That is OK, but don't publicise ALL details, don't throw JetBrains under the bus because they are not communicating correctly. CVEs without details should have been published on day 1 of patch availability, but not full details. From day 1 the companies/customers can patch, so same or next day (change procedures) or wait longer at their own risk.

        The best solution is to work together, this is a good example what happens if you don't!

    2. Anonymous Coward
      Anonymous Coward

      Reality x (Corporate) Complacency = Entirely Predictable Clusterfuck.

  2. spireite Silver badge
    Coat

    Failing to apply patches is commonplace

    Not specific to TeamCity but It's almost like admins are Jet for Brains

    You have to question why you'd expose TC to the internet *without* insisting on a VPN or .similar to get at it.

    1. CowHorseFrog Silver badge

      Re: Failing to apply patches is commonplace

      Exactly theres no reason why some internal server like this should ever be on the public internet.

  3. hh121

    Still don't get it

    Why publish the how-to at all, unless you're a complete self aggrandising wanker who wants to show off how clever you are. The people they're hurting aren't going to be buying anything from Rapid7, not before and definitely not after. Unless it's a bug bounty shake down merchant, in which case who's the one taking hostages here.

  4. Anonymous Coward
    Anonymous Coward

    >Due to the uncoordinated disclosure of the two vulnerabilities between JetBrains and the researchers at Rapid7 who first discovered and reported the issues this week, all the information that was required for an attacker to develop a working exploit was made public on the same day the patches were released.

    But wasn't that Rapid7's plan all along? Their policy clearly states they intend to publish full vulnerability details along with the patched software. It's weird to be shifting blame on JetBrains for this.

    Coordinated or not, Rapid7 would be releasing full details anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like