TeamCity Vulnerability Exploits to Surge in Ransomware Attacks


Attackers are taking advantage of vulnerabilities in JetBrains Teamcity to distribute ransomware, coinminers, and backdoor payloads.

Two critical vulnerabilities in the TeamCity On-Premises platform, identified as CVE-2024-27198 and CVE-2024-27199 by JetBrains, were published on March 4, 2024. 

These flaws enable attackers to bypass authentication safeguards and take over compromised servers. 

The confidentiality, integrity, and availability of sensitive data and vital systems are all at risk due to this criminal conduct, which also puts impacted businesses’ finances and operations at risk.

All TeamCity On-Premises versions up to 2023.11.3 are affected by the issues; version 2023.11.4 was released to fix them.

Rapid7’s Principal Security Researcher, Stephen Fewer, found the two vulnerabilities, which were then reported by Rapid7’s vulnerability disclosure policy.

There are currently publicly available proof-of-concept (POC) exploits for these vulnerabilities, which increases the likelihood that they will be widely used.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Details of the Vulnerabilities

CVE-2024-27199– Directory Traversal Vulnerability

A directory traversal vulnerability (CWE-22) in the TeamCity web component, identified as CVE-2024-27199, has a high CVSS score of 7.3 and has a possibility for bypassing authentication. 

An attacker can use this vulnerability to change a small number of TeamCity system settings and disclose confidential information.

CVE-2024-27198– Authentication Bypass Vulnerability

With a Critical CVSS score of 9.8, CVE-2024-27198 is an authentication bypass vulnerability in the TeamCity web component that also includes an alternate path issue (CWE-288). 

An unauthorized attacker could use this vulnerability to remote code execution (RCE).

CVE-2024-27198 has also been added to the list of known exploited vulnerabilities maintained by the US Cybersecurity and Infrastructure Security Agency (CISA). 

Trend Micro reported that threat actors can carry out a range of malicious operations by using CVE-2024-27198, including:

  • Dropping the Jasmin ransomware
  • Deploying the XMRig cryptocurrency miner
  • Deploying Cobalt Strike beacons
  • Deploying the SparkRAT backdoor
  • Executing domain discovery and persistence commands
Attack Flow

“Threat actors might exploit CVE-2024-27198 or CVE-2024-27199 to bypass authentication on vulnerable On-Premise TeamCity servers and perform follow-on commands”, Trend Micro researchers shared with Cyber Security News.

“They are then able to perform RCE and TeamCity-related processes, such as spawning a command and scripting interpreter (including PowerShell) to download additional malware or perform discovery commands”.

The malware that the attackers install can communicate with the system’s command-and-control (C&C) server and execute extra commands, like deploying Cobalt Strike beacons and remote access trojans (RATs). Finally, as a final payload, ransomware can be installed to encrypt files and demand ransom payments from victims.

During the post-exploitation stage, one of the threat actors that researchers discovered was taking advantage of these vulnerabilities and distributed a variant of the open-source Jasmin ransomware.

In addition to renaming files, the ransomware can leave a ransom note.

Ransom note dropped by the Jasmin ransomware
Ransom note dropped by the Jasmin ransomware

Experts also saw threat actors infecting susceptible TeamCity servers with a variant of the open-source cryptocurrency-mining malware called XMRig. 

In addition, researchers discovered that threat actors were using vulnerable TeamCity servers with the Golang-based SparkRAT backdoor and a variant of the open-source XMRig cryptocurrency mining malware. 

Customers of TeamCity are encouraged to update their software as soon as possible if these vulnerabilities impact their servers.

Hence, it is essential to take immediate action to reduce these vulnerabilities and stop ransomware extortion and other infections from causing more harm.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.





Source link