Threat actors actively exploit JetBrains TeamCity flaws to deliver malware
March 20, 2024
Multiple threat actors are exploiting the recently disclosed JetBrains TeamCity flaw CVE-2024-27198 in attacks in the wild.
Trend Micro researchers are exploiting the recently disclosed vulnerabilities CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score 7.3) security flaws in JetBrains TeamCity to deploy multiple malware families and gain administrative control over impacted systems.
In early March, Rapid7 researchers disclosed two new critical security vulnerabilities, tracked as CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score:7.3), in JetBrains TeamCity On-Premises.
An attacker can exploit the vulnerabilities to take control of affected systems.
Below are the descriptions for these vulnerabilities:
- CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical).
- CVE-2024-27199 is an authentication bypass vulnerability in the web component of TeamCity that arises from a path traversal issue (CWE-22) and has a CVSS base score of 7.3 (High).
“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.” reads the advisory published by JetBrains.
The flaws impact all TeamCity On-Premises versions through 2023.11.3, it was addressed with the release of version 2023.11.4.
The company also released a security patch plugin for those customers who are unable to patch their systems.
The two flaws were discovered by Stephen Fewer, Principal Security Researcher at Rapid7, were disclosed following Rapid7’s vulnerability disclosure policy.
Rapid7 published a detailed analysis of the two flaws here.
Describing the flaw CVE-2024-27198, the researchers pointed out that an unauthenticated attacker can use a specially crafted URL to bypass all authentication checks. A remote unauthenticated attacker can exploit this flaw to take complete control of a vulnerable TeamCity server.
Recently JetBrains addressed another critical vulnerability in TeamCity servers, tracked as CVE-2024-23917 (CVSS score: 9.8), that could be exploited by an unauthenticated attacker to gain administrative control of servers.
Since the public availability of Public proof-of-concept (POC) exploits for these vulnerabilities the risk of widespread exploitation increased. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-27198 in its Known Exploited Vulnerabilities catalog.
Trend Micro reported that threat actors can exploit CVE-2024-27198 to perform a broad range of malicious activities, including:
- Dropping the Jasmin ransomware
- Deploying the XMRig cryptocurrency miner
- Deploying Cobalt Strike beacons
- Deploying the SparkRAT backdoor
- Executing domain discovery and persistence commands
“Threat actors might exploit CVE-2024-27198 or CVE-2024-27199 to bypass authentication on vulnerable On-Premise TeamCity servers and perform follow-on commands. They are then able to perform RCE and TeamCity-related processes, such as spawning a command and scripting interpreter (including PowerShell) to download additional malware or perform discovery commands.” reads the report published by Trend Micro. “The attackers are then able to install malware that can reach out to its command-and-control (C&C) server and perform additional commands such as deploying Cobalt Strike beacons and remote access trojans (RATs).”
Threat actors can deploy ransomware as a final payload, for example, one of the earliest actors that the experts spotted exploiting the above issues deployed a variant of the open-source Jasmin ransomware. In other instances analyzed by Trend Micro, threat actors deployed a variant of the open-source XMRig cryptocurrency-mining malware to vulnerable TeamCity servers.
In March, researchers from GuidePoint Security observed BianLian ransomware exploiting vulnerabilities in JetBrains TeamCity software in recent attacks.
The experts also observed several attempts to discover network infrastructure and employ persistence commands arising from the java.exe process under a vulnerable TeamCity server directory.
In other cases, attackers exploited the above flaws to deploy Cobal Strike beacon to vulnerable TeamCity servers.
“This malicious activity not only jeopardizes the confidentiality, integrity, and availability of sensitive data and critical systems but also imposes financial and operational risks for affected organizations. Swift action is imperative to mitigate these vulnerabilities and prevent further damage from ransomware extortion and other types of malware.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, JetBrains TeamCity)