Saturday, May 25, 2024

TeamCity Vulnerability Exploits Leads to Surge in Ransomware Attacks

Attackers are taking advantage of vulnerabilities in JetBrains Teamcity to distribute ransomware, coinminers, and backdoor payloads.

Two critical vulnerabilities in the TeamCity On-Premises platform, identified as CVE-2024-27198 and CVE-2024-27199 by JetBrains, were published on March 4, 2024. 

These flaws enable attackers to bypass authentication safeguards and take over compromised servers. 

The confidentiality, integrity, and availability of sensitive data and vital systems are all at risk due to this criminal conduct, which also puts impacted businesses’ finances and operations at risk.

All TeamCity On-Premises versions up to 2023.11.3 are affected by the issues; version 2023.11.4 was released to fix them.

Rapid7’s Principal Security Researcher, Stephen Fewer, found the two vulnerabilities, which were then reported by Rapid7’s vulnerability disclosure policy.

There are currently publicly available proof-of-concept (POC) exploits for these vulnerabilities, which increases the likelihood that they will be widely used.


Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Details of the Vulnerabilities

CVE-2024-27199– Directory Traversal Vulnerability

A directory traversal vulnerability (CWE-22) in the TeamCity web component, identified as CVE-2024-27199, has a high CVSS score of 7.3 and has a possibility for bypassing authentication. 

An attacker can use this vulnerability to change a small number of TeamCity system settings and disclose confidential information.

CVE-2024-27198– Authentication Bypass Vulnerability

With a Critical CVSS score of 9.8, CVE-2024-27198 is an authentication bypass vulnerability in the TeamCity web component that also includes an alternate path issue (CWE-288). 

An unauthorized attacker could use this vulnerability to remote code execution (RCE).

CVE-2024-27198 has also been added to the list of known exploited vulnerabilities maintained by the US Cybersecurity and Infrastructure Security Agency (CISA). 

Trend Micro reported that threat actors can carry out a range of malicious operations by using CVE-2024-27198, including:

  • Dropping the Jasmin ransomware
  • Deploying the XMRig cryptocurrency miner
  • Deploying Cobalt Strike beacons
  • Deploying the SparkRAT backdoor
  • Executing domain discovery and persistence commands
Attack Flow
Attack Flow

“Threat actors might exploit CVE-2024-27198 or CVE-2024-27199 to bypass authentication on vulnerable On-Premise TeamCity servers and perform follow-on commands”, Trend Micro researchers shared with Cyber Security News.

“They are then able to perform RCE and TeamCity-related processes, such as spawning a command and scripting interpreter (including PowerShell) to download additional malware or perform discovery commands”.

The malware that the attackers install can communicate with the system’s command-and-control (C&C) server and execute extra commands, like deploying Cobalt Strike beacons and remote access trojans (RATs). Finally, as a final payload, ransomware can be installed to encrypt files and demand ransom payments from victims.

During the post-exploitation stage, one of the threat actors that researchers discovered was taking advantage of these vulnerabilities and distributed a variant of the open-source Jasmin ransomware.

In addition to renaming files, the ransomware can leave a ransom note.

Ransom note dropped by the Jasmin ransomware
Ransom note dropped by the Jasmin ransomware

Experts also saw threat actors infecting susceptible TeamCity servers with a variant of the open-source cryptocurrency-mining malware called XMRig. 

In addition, researchers discovered that threat actors were using vulnerable TeamCity servers with the Golang-based SparkRAT backdoor and a variant of the open-source XMRig cryptocurrency mining malware. 

Customers of TeamCity are encouraged to update their software as soon as possible if these vulnerabilities impact their servers.

Hence, it is essential to take immediate action to reduce these vulnerabilities and stop ransomware extortion and other infections from causing more harm.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles