JetBrains TeamCity Mass Exploitation Underway, Rogue Accounts Thrive

JetBrains TeamCity Mass Exploitation Underway, Rogue Accounts Thrive

Assaults focusing on two safety vulnerabilities within the TeamCity CI/CD platform have begun in earnest simply days after its developer, JetBrains, disclosed the failings on March 3.

The assaults embrace no less than one marketing campaign to distribute ransomware, and one other wherein a menace actor seems to be creating admin customers on weak TeamCity situations for potential future use.

One of many vulnerabilities (recognized as CVE-2024-27198) has a near-maximum severity CVSS score of 9.8 out of 10 and is an authentication bypass subject in TeamCity’s Net element. Researchers from Rapid7 who found the vulnerability and reported it to JetBrains have described it as enabling a remote unauthenticated attacker to execute arbitrary code to take full management of affected situations.

CVE-2024-27199, the opposite vulnerability that JetBrains disclosed, is a moderate-severity authentication bypass flaw in the identical TeamCity Net element. It permits for a “restricted quantity” of knowledge disclosure and system modification, in keeping with Rapid7.

TeamCity Builders: A Priceless Goal for Attackers

Some 30,000 organizations use TeamCity to automate construct, testing and deployment processes for software program tasks in CI/CD environments. Like different current TeamCity flaws — corresponding to CVE-2024-23917 in February 2024, and CVE-2023-42793, which Russia’s Midnight Blizzard group utilized in assaults final yr (it is usually recognized for the notorious SolarWinds provide chain assaults), the 2 new ones have stoked appreciable concern.

The concerns should do with the potential for attackers to abuse the failings to take management of a corporation’s software program builds and tasks to launch mass provide chain assaults.

“Attackers are realizing that instruments like TeamCity for configuration deployment are a simple option to quickly propagate malicious code,” says Greg Fitzgerald, co-founder of Sevco Safety. Many additionally use trusted instruments like TeamCity to allow lateral motion on a mass scale, he says.

Stephen Fewer, principal safety researcher at Rapid7, says that armed with the brand new vulnerabilities, an attacker can use engines like google like Shodan and FOFA to find uncovered TeamCity servers. One caveat is that there a excessive variety of honeypot servers masquerading as TeamCity servers, so dangerous actors would possibly must do some additional work to search out legit situations, he says.

Exploitation after discovery is trivial, Fewer says. “CVE-2024-27198, may be leveraged by way of a single HTTP request,” he says. This enables “an attacker to create a brand new administrator person account or entry token on the system, and from there the attacker can leverage this to fully take over the server, together with distant code execution [RCE] on the goal working system.”

By creating a brand new admin account on a weak occasion, an attacker can doubtlessly entry and modify all of the assets that the TeamCity situations manages, together with tasks, construct brokers, and artifacts.

“One other avenue the attacker can make use of is to leverage their entry to run arbitrary instructions on the underlying working system to take full management over the server,” Fewer says. A technique to do that is by deploying a malicious TeamCity plug-in that hosts a payload of the attacker’s alternative. Another choice is to leverage a REST API for debugging functions that’s accessible in some variations of TeamCity to run instructions on the working system. “From right here, the assault could pivot deeper into the goal’s community, or set up persistence on the compromised server to keep up entry,” Fewer says.

Excessive-Severity JetBrains TeamCity Threats

On March 5, the director of CrowdStrike’s menace searching group reported observing a number of situations wherein a menace actor had exploited the two flaws to deploy what gave the impression to be a modified model of Jasmin, an open supply software that red-team testers can use to simulate an actual ransomware assault. Its maintainers have described Jasmin as a WannaCry clone.

Individually, LeakIX, a web site that aggregates breach and leak knowledge, reported detecting some 1,711 exposed TeamCity instances on the Net, of which 1,442 confirmed indicators of somebody having created rogue person accounts on them by way of CVE-2024-27198. “Should you had been/are nonetheless operating a weak system, assume compromise,” LeakIX famous on X, the platform previously often called Twitter.

In the meantime, the nonprofit Web-monitoring web site reported observing exploitation activity for CVE-2024-27198 beginning Mar 4 — a day after JetBrains disclosed the flaw.

“If operating JetBrains TeamCity on-prem — be sure to patch for up to date CVE-2024-27198 (distant auth bypass) & CVE-2024-27199 vulns NOW!,” Shadowserver warned. The volunteer-based cyber menace intelligence group reported detecting 1,182 instances of TeamCity, a few of which could have a patch in place already. It recognized the highest affected international locations because the US with 298 situations, and Germany with 188.

Notify of
Inline Feedbacks
View all comments
Previous Post
Troutman Pepper Forms Incidents and Investigations Team

Silence Laboratories Raises $4.1M Funding to Allow Privateness Preserving Collaborative Computing

Next Post
JetBrains TeamCity Vulnerability

CISA Warns of Actively Exploited JetBrains TeamCity Vulnerability

Related Posts