Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Recent TeamCity Vulnerability Exploited in Ransomware Attacks

Servers impacted by recently patched TeamCity vulnerability CVE-2024-27198 targeted in ransomware attacks and abused for DDoS.

A TeamCity vulnerability disclosed recently in controversial circumstances is being exploited in ransomware attacks, according to the product’s developer and cybersecurity companies. 

On March 4, JetBrains, the developer of the TeamCity build management and continuous integration server, announced fixes for CVE-2024-27198 and CVE-2024-27199, two serious authentication bypass vulnerabilities. 

CVE-2024-27198, which has been rated critical, can be exploited by remote, unauthenticated attackers to take complete control of a server by creating a new admin user account or by generating an admin access token. 

Rapid7, whose researchers discovered the vulnerabilities, made public details of CVE-2024-27198 and CVE-2024-27199 a few hours after JetBrains announced fixes. 

Full disclosure seems to have occurred due to miscommunication between the two companies. Rapid7 was concerned that JetBrains would try to silently patch the vulnerabilities and the vendor was concerned that Rapid7 would disclose details too quickly. JetBrains informed customers about patches without notifying Rapid7, which decided to immediately disclose details.

This led to threat actors beginning to target CVE-2024-27198 shortly after disclosure on March 4. By March 6, LeakIX, a project that scans the web for vulnerable and misconfigured systems, started seeing mass exploitation, with signs of rogue user creation seen in 1,400 instances.

More information has now come to light on what attackers are actually doing. GuidePoint Security reported on Friday that a ransomware group named BianLian, which has been known to target critical infrastructure, may have exploited CVE-2024-27198 for initial access (it’s possible that the cybercriminals exploited a different TeamCity flaw). 

In a lengthy blog post published on Monday, JetBrains said many of its customers managed to install the patches before Rapid7 disclosed details and the attacks started, but many did not. 

Advertisement. Scroll to continue reading.

The company said it received reports from some customers whose servers had been compromised. Two customers allegedly saw their files being encrypted as part of ransomware attacks. One customer reported that attackers had hacked its TeamCity server and intended on abusing it for DDoS attacks.

JetBrains blamed Rapid7 for its customers’ systems getting hacked, highlighting that other vulnerabilities found previously in its products were not exploited as commonly or quickly as CVE-2024-27198.

Threat actors can reverse engineer a patch to create an exploit even if no information is available about the vulnerability, but JetBrains claims that in this case it took steps to make patch analysis more difficult, which would have given its customers more time to install the fixes before malicious exploitation started.

Related: Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies

Related: Recently Patched TeamCity Vulnerability Exploited to Hack Servers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.