Search This Blog

Showing posts with label SolarWinds Hack. Show all posts

JetBrains – A possible Doorway to Massive Hacking Plot?

 

JetBrains a software company based in the Czech Republic could possibly be used as a doorway by Russian hackers to secure access to United States private sector systems and federal government systems. American intelligence agencies and private Cybersecurity researchers are investigating the position of a software company that could possibly be used as a pathway by Russian hackers to inject malware that would glide to several technology firms.

JetBrains a software company established in Prague, Czech Republic has more than 1,200 employees and the company’s products are widely used across the globe by more than 300,000 companies and 9,000,000 developers which include 79 Fortune Global 100 companies and 95 Fortune 100 companiesJetBrains is widely recognized as a leading instrument for developing software.

Numerous leading companies like Citibank, Google, Netflix, HP, Twitter, Volkswagen, Expedia, NASA, Valve, Ubisoft, VMware, The New York Times, and Hewlett-Packard are among its consumers and it also has a major say in developing the software for Siemens – a leading supplier of technology in a sensitive framework such as nuclear and power plants.

Maxim Shafirov, the company’s chief executive officer stated in a post that “we have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation, if such an investigation is undertaken, the authorities can count on our full cooperation”.

SolarWinds, the company stationed in Austin, Texas is one of the primary consumers of JetBrains. TeamCity software is a product of JetBrains, it is a continuous integration and deployment system used for unit testing and code quality analysis. The software was utilized as a weapon by the threat actors to gain access to the SolarWinds TeamCity server by manipulating high severity vulnerabilities. However, JetBrains’ CEO denied all the allegations regarding the involvement of the company in the SolarWinds hack.

Password Guessing Used as a Weapon by SolarWinds Hackers to Breach Targets

 

Cybersecurity and Infrastructure Security Agency (CISA) informed that perpetrators of SolarWinds attack obtained confidential information via common hacker techniques like password guessing, password spraying, and illicitly acquired administrative credentials attainable via external remote access services.

The hackers manipulated the IT management company SolarWinds update to secure unauthorized entrance to government systems. The perpetrators inserted malware into an update the company shared with thousands of its clients which then initiated a command and directed the channel to an external server. Microsoft stated that the hacker’s primary aim was to secure entrance to cloud hosted infrastructure, which at many instances was possessed by the company’s Azure and Microsoft 365 environments. 

The threat actors behind the SolarWinds hack gained access by password guessing [T1101.001], password spraying [T1101.003] and were not consistently counting on the trojanized Orion app as its primary access vector.

CISA has urged the United States government agencies to upgrade the SolarWinds Orion platform to the latest version 2020.2.1HF2 and the agencies that are not willing to upgrade the SolarWinds Orion platform should take their Orion systems offline. The attackers modified several Orion app versions to attach malware and used a malware strain called Sunburst (or Solorigate) to corrupt the Orion app updates, versions 2019.4 via 2020.1 which were released between March 2020 and June 2020.

“CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors (for details refer to Initial Access Vectors section), specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with the adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified” the agency stated.

The SolarWinds hack was first discovered by the US Cybersecurity company FireEye on December 8th when the cybersecurity firm released a blog revealing an attack on its systems and the attack have impacted the highest authorities of United States which includes the Department of Homeland Security, Department of Commerce, US Treasury and parts of the Pentagon. The hackers were believed to be from Russia, based on several pieces of evidence, however, Russia constantly denies the allegations.