A TeamCity vulnerability disclosed recently in controversial circumstances is being exploited in ransomware attacks, according to the product’s developer and cybersecurity companies.
On March 4, JetBrains, the developer of the TeamCity build management and continuous integration server, announced fixes for CVE-2024-27198 and CVE-2024-27199, two serious authentication bypass vulnerabilities.
CVE-2024-27198, which has been rated critical, can be exploited by remote, unauthenticated attackers to take complete control of a server by creating a new admin user account or by generating an admin access token.
Rapid7, whose researchers discovered the vulnerabilities, made public details of CVE-2024-27198 and CVE-2024-27199 a few hours after JetBrains announced fixes.
Full disclosure seems to have occurred due to miscommunication between the two companies. Rapid7 was concerned that JetBrains would try to silently patch the vulnerabilities and the vendor was concerned that Rapid7 would disclose details too quickly. JetBrains informed customers about patches without notifying Rapid7, which decided to immediately disclose details.
This led to threat actors beginning to target CVE-2024-27198 shortly after disclosure on March 4. By March 6, LeakIX, a project that scans the web for vulnerable and misconfigured systems, started seeing mass exploitation, with signs of rogue user creation seen in 1,400 instances.
More information has now come to light on what attackers are actually doing. GuidePoint Security reported on Friday that a ransomware group named BianLian, which has been known to target critical infrastructure, may have exploited CVE-2024-27198 for initial access (it’s possible that the cybercriminals exploited a different TeamCity flaw).
In a lengthy blog post published on Monday, JetBrains said many of its customers managed to install the patches before Rapid7 disclosed details and the attacks started, but many did not.
The company said it received reports from some customers whose servers had been compromised. Two customers allegedly saw their files being encrypted as part of ransomware attacks. One customer reported that attackers had hacked its TeamCity server and intended on abusing it for DDoS attacks.
JetBrains blamed Rapid7 for its customers’ systems getting hacked, highlighting that other vulnerabilities found previously in its products were not exploited as commonly or quickly as CVE-2024-27198.
Threat actors can reverse engineer a patch to create an exploit even if no information is available about the vulnerability, but JetBrains claims that in this case it took steps to make patch analysis more difficult, which would have given its customers more time to install the fixes before malicious exploitation started.
Related: Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies
Related: Recently Patched TeamCity Vulnerability Exploited to Hack Servers
