BianLian Threat Actors Exploiting JetBrains TeamCity Flaws in Ransomware Attacks
March 11, 2024 – Published on The Hacker News
The threat actors behind the BianLian ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their extortion-only attacks.
According to a new report from GuidePoint Security, which responded to a recent intrusion, the incident “began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian’s Go backdoor.”
BianLian emerged in June 2022, and has since pivoted exclusively to exfiltration-based extortion following the release of a decryptor in January 2023.
The attack chain observed by the cybersecurity firm entails the exploitation of a vulnerable TeamCity instance using CVE-2024-27198 or CVE-2023-42793 to gain initial access to the environment, followed by creating new users in the build server and executing malicious commands for post-exploitation and lateral movement.
It’s currently not clear which of the two flaws were weaponized by the threat actor for infiltration.
BianLian actors are known to implant a custom backdoor tailored to each victim written in Go, as well as drop remote desktop tools like AnyDesk, Atera, SplashTop, and TeamViewer. The backdoor is tracked by Microsoft as BianDoor.
“After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor,” security researchers Justin Timothy, Gabe Renfro, and Keven Murphy said.
Read More HERE.