Vulnerabilities in JetBrains' TeamCity are now in the arsenal of ransomware gangs

Published: 13 March 2024
on channel: Tryhacking
77
0

Vulnerabilities in JetBrains' TeamCity are now in the arsenal of ransomware gangs.
As specialists found out, the attacks were carried out by operators of BianLian, already known for their campaigns targeting CI/CD assets.
In the latest case, the attackers exploited the vulnerabilities CVE-2024-27198 and CVE-2024-27199 to bypass authentication and gain full control over the server.
It could have been avoided since JetBrains announced the fix for these vulnerabilities on March 4th. However, Rapid7 researchers fired a shot in the back and disclosed the vulnerability details too early, leading to active exploitation by malicious actors.
The attack chain involved exploiting a vulnerable instance of TeamCity using CVE-2024-27198 or CVE-2023-42793 to gain initial access to the environment, followed by creating new users on the build server, executing malicious commands, and lateral movement.
It's currently unclear which of the two vulnerabilities the attackers used for infiltration, but mass exploitation of CVE-2024-27198 was recorded on March 6th, involving the creation of fraudulent user accounts and deploying a BianLian Go-based PowerShell backdoor.
It is known that BianLian attackers deploy their own Go-written backdoor for each victim, as well as remove remote desktop tools such as AnyDesk, Atera, SplashTop, and TeamViewer.
The backdoor is tracked by Microsoft as BianDoor.
JetBrains claims that many customers managed to install patches before the attacks began, but unfortunately, not everyone did it in time, leading to compromise of some servers, subsequent ransomware attacks, and attempted DDoS attacks.
The provider blamed Rapid7 for prematurely disclosing information, but whether the disputes will escalate into something more than just public bickering or as always, the drowning will fend for themselves, and the customer will bear it all, remains to be seen.


Watch video Vulnerabilities in JetBrains' TeamCity are now in the arsenal of ransomware gangs online without registration, duration hours minute second in high quality. This video was added by user Tryhacking 13 March 2024, don't forget to share it with your friends and acquaintances, it has been viewed on our site 7 once and liked it people.