Threat Groups Rush to Exploit JetBrains’ TeamCity CI/CD Security Flaws
March 11, 2024 – Published on Security Boulevard
The cyberthreats to users of JetBrains’ TeamCity CI/CD platform continue to mount a week after the company issued two fixes to security vulnerabilities, with one cybersecurity vendor noting a ransomware attack that included exploiting the flaws for initial access and a search engine reporting that 1,442 vulnerable instances showed signs of exploitation.
Those reports followed others that indicated that bad actors began targeting the vulnerabilities a day after the fixes were released March 4 as well as a feud over disclosure policies between JetBrains and researchers at cybersecurity firm Rapid7 who first detected the bugs last month.
It adds up to a messy week for JetBrains and TeamCity users, a continuous integration and continuous development (CI/CD) platform that’s been around since 2006 and is pitched as software platform used to create a flexible development and collaboration environment.
Most recently, researchers with cybersecurity vendor GuidePoint Security that the operators behind the BianLian ransomware were exploiting the TeamCity vulnerabilities, initially trying to execute their backdoor malware written in the Go programming language. After failed attempts, the group turned to living-of-the-land methods, using a PowerShell implementation of the backdoor, which provided them with almost identical functionality, the researchers wrote in a report.
They detected the attack during an investigation of malicious activity within a customer’s network. It was unclear which of the two vulnerabilities the BianLian attackers exploited, they wrote.
After leveraging a vulnerable TeamCity instance to gain initial access, the bad actors were able to create new users in the build server and executed malicious commands that enabled them to move laterally through the network and run post-exploitation activities. In addition, they were able to create a new account on one of the build server and add the new account to users groups.
“The threat actor was detected in the environment after attempting to conduct a Security Accounts Manager (SAM) credential dumping technique, which alerted the victim’s VSOC, GuidePoint’s DFIR team, and GuidePoint’s Threat Intelligence Team (GRIT) and initiated the in-depth review of this PowerShell backdoor,” the researchers wrote.
Read More HERE.