Changelog: The never-ending coordinated disclosure debate

cdd20 / Unsplash

Welcome to Changelog for 3/7/2024, published by Synack! README senior editor Nathaniel Mott here with the week’s top security news.

The payload

Did anyone have “continue to debate about coordinated disclosure policies” on their bingo card for this month? If so, be sure to send Rapid7 and JetBrains a thank you card, because their public spat over a pair of vulnerabilities in the TeamCity devops tool has once again brought that argument to the forefront of the cybersecurity conversation.

Rapid7 said it discovered the vulns, CVE-2024-27198 and CVE-2024-27199, in February. Then it disclosed both vulnerabilities to JetBrains. So far, so good – that is, until March 4, when the security company “noted that JetBrains released a fixed version of TeamCity without notifying Rapid7 that fixes had been implemented and were generally available” then “published an advisory on the vulnerabilities without responding to Rapid7 on the disclosure timeline” before finally telling Rapid7 the CVEs were live.

JetBrains published an additional blog post about its handling of CVE-2024-27198 and CVE-2024-27199 after Rapid7 published its complaints. That blog post indicates that Rapid7 disclosed the vulns on Feb. 19, and by Feb. 23, JetBrains had decided to cut Rapid7 out of the loop.

“At this point, we made a decision not to make a coordinated disclosure with Rapid7 as we strongly believe that publishing all technical details at the same time as releasing a fix allows anyone to immediately exploit the issue before all customers have had a chance to patch their servers,” JetBrains said. “Our highest priority is to ensure our customers are notified of any critical security issues and have time to install a security patch or upgrade before more technical details are made public.”

I have a few problems with this reasoning. The first is that TeamCity users probably want to know about a critical vulnerability in the software; they might even be more likely to install the patch if they’re aware of the risks associated with using an older version of the tool. The second is that dedicated hackers could probably discover these vulns for themselves by investigating the differences made with the March 4 patch. The final—and perhaps most important—is that the Streisand effect is a thing.

Would someone have attempted to exploit these vulnerabilities in TeamCity if Rapid7’s blog post went live alongside JetBrains’ update? Yeah. That happens for every publicly disclosed vuln. But the drama surrounding the handling of these vulnerabilities has now brought far more attention to them. 

GreyNoise said on March 6 that it’s seeing “broad exploitation of JetBrains CVE-2024-27198,” so any TeamCity users who haven’t installed the March 4 update should do so. They might want to cross their fingers with hopes that JetBrains will reconsider its handling of vulnerability disclosures in the future, too, because the company has made it clear that “coordinated disclosure” isn’t a priority even though the alternative is researchers keeping their findings to themselves or, you know, just dropping zero-days.

The week, compiled

They say there’s no honor among thieves… and they’re right! ALPHV / BlackCat has stolen a $22 million ransom paid by Change Healthcare to a now-former affiliate. The ransomware attack on Change Healthcare “shut down the nation’s biggest health care payment system, causing financial chaos that affected a broad spectrum ranging from large hospitals to single-doctor practices,” according to The New York Times.

Brian Krebs reported on March 5 that “the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom” and that BlackCat’s dark web site had been updated with a takedown notice alleging that the FBI and other global law enforcement agencies had once again disrupted the ransomware gang’s operations. Which is a lie.

jayalekshman-sj-M_0lAFm-o4k-unsplash

Jayalekshman SJ / Unsplash

The Record reported on March 6 that “the DOJ, Europol and the NCA all denied any involvement in the new takedown notice.” There were technical indicators that the takedown notice was fake, too, and a spokesperson for the group said on a cybercrime forum that they “decided to completely close the project” because “the feds screwed us over.” We’ll see how many lives these cats have left in them.

Now for some of the biggest security-related headlines of the week:

Ars Technica: As long as we’re on the subject of silent patches, Microsoft patched a Windows security flaw in February with “no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers,” which seems like the kind of thing organizations running entire fleets of Windows machines would want to know about.

SecurityWeek: VMware “rolled out urgent patches for critical-severity flaws in the enterprise-facing ESXi, Workstation, Fusion and Cloud Foundation products” on March 5, and in some cases, the vulnerabilities were severe enough that fixes were made available to end-of-life products the company doesn’t technically support anymore. Now would be a good time to make sure those products are up to date.

TechCrunch: The Treasury Department announced on March 5 that it was issuing sanctions against “the founder of the notorious spyware company Intellexa and one of his business partners” because the spyware had been “used to target Americans, including U.S. government officials, journalists and policy experts.” These are the first—but probably not the last—sanctions of their kind against individuals.

A message from Synack

Pentesting on a FedRAMP Moderate Authorized Platform. Synack has achieved the Moderate "Authorized" designation from the U.S. Federal Risk and Authorization Management Program (FedRAMP), demonstrating that Synack's premier security testing platform meets the cloud compliance framework's rigorous requirements at the Moderate level. The milestone approval means government agencies can deploy Synack's best-in-class penetration testing and vulnerability management solutions – even for internal data, and in systems that process Controlled Unclassified Information. To learn more about the news and your security testing options, head over to https://hubs.ly/Q02jpBQ30.

Flash memory

There’s a good chance that I hold the record for most parenthetical statements to appear on a computer screen. (It’s a problem.) But when it comes to forcing devices to display parentheses, nobody can compete with your average LISP programmer, because they toss that punctuation mark around like they’re Olive Garden servers distributing unlimited breadsticks to the seagulls from “Finding Nemo.”

We have John McCarthy to thank for that. The Computer History Museum said McCarthy released the first LISP Programmer’s Manual on March 1, 1960. Some takes on LISP programming languages—the two I’m most familiar with are Common Lisp and Clojure, but there are others, I’m sure—remain popular today. (The museum also said LISP is “the mother tongue of Artificial Intelligence” but I can’t really speak to that.)

Aside from those programming languages, perhaps the best-known use of LISP arrives via Emacs, the operating system that’s been pretending to be a text editor since the ‘70s. LISP has allowed Emacs users to create everything from email clients and RSS readers to podcast clients and Git management tools in exchange for abusing the “(“ and “)” keys on countless keyboards without mercy for several decades.

Local files

The Washington Post: Conditions at the National Institute of Standards and Technology, which is tasked with overseeing federal deployment of artificial intelligence and also sets widely used cybersecurity standards, are reportedly appalling. The offices are said to be contending with mold, leaky roofs and the spottiest internet connection this side of the ‘90s.

CyberScoop: The U.S. Cybersecurity and Infrastructure Security Agency said “they have not seen serious attempts to meddle with election infrastructure in the lead-up to the Super Tuesday presidential primary.” They also aren’t communicating with social media companies, either, due to “court cases that officials say have ‘fundamentally’ changed how the federal government interacts with platforms.”

BleepingComputer: The latest edition of the FBI’s Internet Crime Report revealed that the U.S. lost $12.5 billion to online crimes in 2023. That’s a 22% increase over 2022, with most of the loss attributed to “Business Email Compromise (BEC), investment fraud, ransomware, and tech/customer support and government impersonation scams,” many of which disproportionately affect older Americans.

Off-script

The Wall Street Journal reported on March 1 that Reddit—the hottest thing to happen to online communities since vBulletin debuted at the turn of the millennium—is “targeting a valuation of up to $6.5 billion in its highly anticipated” initial public offering. That’s significantly less than the $15 billion valuation it was reportedly seeking in January 2022… but it’s still a lot of money for a company that primarily relies on user-generated content submitted to user-run communities for other users to discuss.

kim-menikh-CywtL_-MUkU-unsplash

Kim Menikh / Unsplash

It also seems to be predicated on the news that Reddit plans to sell the massive amount of content on its platform to Google and other companies so they can train the large language models used in various chatbots that are in turn used to increase the value of their parent companies without clear benefits to pretty much anyone else. So it would be a shame if Reddit users were to remove their contributions from those datasets, or potentially even sabotage them, right? Well, that’s a matter of perspective.

Turns out that deleting a Reddit account (plus all of the associated posts and comments) is relatively simple. The Luddite has also released a Firefox extension that can be used to replace existing posts and comments with text snippets of the user’s choosing, which the outlet has repeatedly said is not supposed to be used to replicate copyrighted works, so as not to risk tainting the training data of companies purchasing this data with something the original copyright holders could sue over. (Wink.)