Thursday, December 5, 2024
HomeCyber AttackTeamCity Vulnerability Exploits Leads to Surge in Ransomware Attacks

TeamCity Vulnerability Exploits Leads to Surge in Ransomware Attacks

Published on

SIEM as a Service

Attackers are taking advantage of vulnerabilities in JetBrains Teamcity to distribute ransomware, coinminers, and backdoor payloads.

Two critical vulnerabilities in the TeamCity On-Premises platform, identified as CVE-2024-27198 and CVE-2024-27199 by JetBrains, were published on March 4, 2024. 

These flaws enable attackers to bypass authentication safeguards and take over compromised servers. 

- Advertisement - SIEM as a Service

The confidentiality, integrity, and availability of sensitive data and vital systems are all at risk due to this criminal conduct, which also puts impacted businesses’ finances and operations at risk.

All TeamCity On-Premises versions up to 2023.11.3 are affected by the issues; version 2023.11.4 was released to fix them.

Rapid7’s Principal Security Researcher, Stephen Fewer, found the two vulnerabilities, which were then reported by Rapid7’s vulnerability disclosure policy.

There are currently publicly available proof-of-concept (POC) exploits for these vulnerabilities, which increases the likelihood that they will be widely used.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Details of the Vulnerabilities

CVE-2024-27199– Directory Traversal Vulnerability

A directory traversal vulnerability (CWE-22) in the TeamCity web component, identified as CVE-2024-27199, has a high CVSS score of 7.3 and has a possibility for bypassing authentication. 

An attacker can use this vulnerability to change a small number of TeamCity system settings and disclose confidential information.

CVE-2024-27198– Authentication Bypass Vulnerability

With a Critical CVSS score of 9.8, CVE-2024-27198 is an authentication bypass vulnerability in the TeamCity web component that also includes an alternate path issue (CWE-288). 

An unauthorized attacker could use this vulnerability to remote code execution (RCE).

CVE-2024-27198 has also been added to the list of known exploited vulnerabilities maintained by the US Cybersecurity and Infrastructure Security Agency (CISA). 

Trend Micro reported that threat actors can carry out a range of malicious operations by using CVE-2024-27198, including:

  • Dropping the Jasmin ransomware
  • Deploying the XMRig cryptocurrency miner
  • Deploying Cobalt Strike beacons
  • Deploying the SparkRAT backdoor
  • Executing domain discovery and persistence commands
Attack Flow
Attack Flow

“Threat actors might exploit CVE-2024-27198 or CVE-2024-27199 to bypass authentication on vulnerable On-Premise TeamCity servers and perform follow-on commands”, Trend Micro researchers shared with Cyber Security News.

“They are then able to perform RCE and TeamCity-related processes, such as spawning a command and scripting interpreter (including PowerShell) to download additional malware or perform discovery commands”.

The malware that the attackers install can communicate with the system’s command-and-control (C&C) server and execute extra commands, like deploying Cobalt Strike beacons and remote access trojans (RATs). Finally, as a final payload, ransomware can be installed to encrypt files and demand ransom payments from victims.

During the post-exploitation stage, one of the threat actors that researchers discovered was taking advantage of these vulnerabilities and distributed a variant of the open-source Jasmin ransomware.

In addition to renaming files, the ransomware can leave a ransom note.

Ransom note dropped by the Jasmin ransomware
Ransom note dropped by the Jasmin ransomware

Experts also saw threat actors infecting susceptible TeamCity servers with a variant of the open-source cryptocurrency-mining malware called XMRig. 

In addition, researchers discovered that threat actors were using vulnerable TeamCity servers with the Golang-based SparkRAT backdoor and a variant of the open-source XMRig cryptocurrency mining malware. 

Customers of TeamCity are encouraged to update their software as soon as possible if these vulnerabilities impact their servers.

Hence, it is essential to take immediate action to reduce these vulnerabilities and stop ransomware extortion and other infections from causing more harm.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...